Comment by 1vuio0pswjnm7

Comment by 1vuio0pswjnm7 6 days ago

3 replies

View on Hacker News

This sounds like a company using DNS to direct _other_ peoples' web traffic through _their_ proxies. Cloudflare started this way. That's why signing up for Cloudlfare requires using _Cloudflare's_ DNS servers

The so-called "DNS trick", which is defintely not a trick, is to redirect traffic though a proxy server. Whoever operates the proxy, e.g. Cloudflare, NextDNS, etc., has control over the HTTPS traffic and _could_ have access to the contents

HN commenters and other online commenters have criticised Cloudlfare in the past because it decrypts ("terminates") TLS connections and _could_ thereby have access to the contents of customers' traffic

For any doubters, this access was confimed some years ago when a coding mistake by someone at CF in a scanner generated with ragel caused customers'_decrypted_ web traffic contained in memory on Cloudflare's proxies to spill out all over the web. Leaked data became publicly available and remained discoverable via web search for a while; the data had to be scrubbed from search engines and web archives which took several days at least

https://en.wikipedia.org/wiki/Cloudbleed

NextDNS purports to be a "DNS service" but proxying HTTPS opens a new can of worms

NB. This comment is not claiming that NextDNS or anyone else does or does not do anything, nor that anyone will or won't do anything. This comment is about _what becomes possible through control over DNS_. The possibilities it allows for control are why I do not use third party DNS service and prefer to control own DNS; having control can be very useful

dbmnt 5 days ago

No, I don't think they are proxying traffic. They are giving the website operators a spoofed EDNS Client Subnet which tricks them into thinking the traffic is coming from a different geolocation.

Reply View 1 reply
  • 1vuio0pswjnm7 5 days ago

    ECS is popular with third party DNS providers with open resolvers, like Google, but not all software that sends DNS queries sends large DNS packets with EDNS extensions and some www users avoid open resolvers

    One of the things that I noticed about NextDNS when they announced their service on HN is that like the other public caches, they too sent ECS, but they claimed they could "anonymise" it

    Reply View 0 replies
1vuio0pswjnm7 5 days ago

Generally, CDNs, e.g., Akamai, etc., are authoritative DNS providers that direct HTTP traffic to selected reverse proxies

When a customer gives a third party recursive DNS provider, e.g., NextDNS, etc., permission to "block" certain domains then the third party may act as an authoritative nameserver. Queries with RD==1 for A RRs of "blocked" domains not already cached do not need to be forwarded to an authoritative nameserver chosen or operated by the domain owner. The third party can answer these queries with whatever address it chooses, e.g., 0.0.0.0, rewrite the answers, etc.

Whether any third party DNS provider is abusing this permission^1 is not the point of this comment. The point is that delegating DNS to a third party makes it possible^2

1. This could be difficult to discover

2. For example, I have seen DNS caches that return A records for certain domains that do not match the A records returned by the domain's authoritative nameservers; sometimes the responses even falsely claim they are authoritative answers. Academic papers have been published about countries that implement censorship via DNS. Even in the US, it's common for third party DNS providers such as hotels and certain ISPs, including cellular providers, to intercept DNS traffic and direct it to their own caches, rewrite answers, etc. This includes nonrecursive queries to a domain's authoritative nameservers

Reply View 0 replies