Maybe...
at a stretch.
9611 publicly visible posts • joined 11 Sep 2009
If you have spooks either (A) watching a DNS for trigger events or (B) going through DNS logs, then this method either (A) doesn't trigger the alert flag at the ISPs DNS or doesn't reveal the exact origination of the request at the .odns end and (B) means they have to obtain two sets of logs, potentially in two different jurisdictions, in order to decode the footprint.
All bets are off if they are watching an individual user; this methodology simply makes casting-a-net-and-see-what-we-get less worthwhile of an activity.
The "attack surface" is roughly speaking "The ISPs DNS logs every packet in its entirety and that log is readable by a hostile agent. This enables a client's entire internet activity to be mapped out where DNS lookups are being made."
The mitigation is to encrypt the request which the ISP is logging, but to do so in a way that a bog-standard DNS service can handle the query.
Application asks the transport layer for a website, say. l33th4xerr.org
The transport layer is charged with sorting this out, and presumably the .odns stub will sit here.
The .odns Top Level Domain is added by the stub inside the client or in the client's own Firewall/NAT/DNS relay, and this encrypts the requested address, so you get a lookup request for something like:
x.x.x.x wants the IP for 30831r]83Rouy[498tby[8nyr84[B'CRB.odns
The ISPs DNS throws its hands up in the air and says "I'll have to refer this to .odns as the source of authority".
The x.x.x.x is now replaced by the DNS relay...
r.r.r.r wants the IP for 30831r]83Rouy[498tby[8nyr84[B'CRB.odns query reference number 12345
.odns, as a source of authority, strips out the session key which it will use to encrypt the response, decodes the real request, looks it up, gets the response and encrypts that before sending it back to the ISPs DNS, which is the only IP address that it has - the originating requestor's IP address isn't included in the query string.
So the response now reads:
To r.r.r.r from .odns. In response to query reference 12345
The IP addresses for 30831r]83Rouy[498tby[8nyr84[B'CRB.odns are 4c34c3442r2cc5gdfgr4344tf33, dfarf7fpqn8tt9[]5t5]tbq5[t and fifty98[b3[[];'\g-0]-k
Now, the ISPs DNS isn't going to understand what the response is. The reason that the response is encrypted is so that the reply doesn't reveal the IP address of the query because the ISPs DNS is going to change the response to:
To x.x.x.x from r.r.r.r.
The IP addresses for 30831r]83Rouy[498tby[8nyr84[B'CRB.odns are 4c34c3442r2cc5gdfgr4344tf33, dfarf7fpqn8tt9[]5t5]tbq5[t and fifty98[b3[[];'\g-0]-k
And that will be logged.
The .odns stub then takes the encrypted part of the response and uses the private key to the session key that it sent to change the reply to:
To originating computer, the IP address for l33th4xerr.org is 12.43.128.12
or if the stub is sitting in the transport layer of the client, it will pass that on to the resolver and add it to the local address resolution list.
If you pwn the .odns, you only see an ISPs DNS asking for dodgy URLs, if you pwn the ISPs DNS, then you see a lot of nonsense requests for a particular IP address on that network - a household with a NAT Firewall or something. If you pwn both then you can get the complete picture.
The problem I have with this is that the encrypted reply might need to be understood by the ISPs DNS. Surely it will be trying to parse the response in order to cache it or something. And the character set of both request and response must fit within the footprint of what a domain name can be, although with multibyte domain naming allowed now, I guess that restriction is cited slightly.
Crafty but obvious. It simply recurses to the odns server which has the other half of the key-pair, which then proxies the lookup. I suppose if one is trying to build a map of what a particular computer is doing, then this would help prevent that, but then so would using a revolving DNS package with a very disparate list of lookups. You'd have to scour dozens of resolvers to gather the map. This method concentrates all of the DNS requests to a single resolver. Unless one combined those methods of course; that would be like putting a jigsaw through a shredder that dumps its load in front of a leaf blower powered playground roundabout.
I used to work for a well-known American electronics high street retailer, now defunct in the UK, that started life making leather goods. You know the one?
Anyway, we had a regular who used to come in to buy the anti-static spray for record players (snake oil stuff - an atomiser filled with distilled water made up with about 5% IPA). He started asking for stronger stuff because "the US government had turned up the power when they realised they couldn't read him". Turns out he used the spray like a cologne. His baseball cap was lined with tin foil too, I noticed.
I don't know the details of that. When I took part I was 14 and on a school trip. They checked the bus orientation with a magnetic compass, I recall, so it couldn't have been a total wipeout. The top bit of the bus was probably mostly made of oak or ash and melamine in those days anyway!
Manchester university have been running a human magneto-orientation study for years. It involved minibussing blindfolded volunteers around Manchester, making use of several roundabouts to disguise direction, then a 20-30 minute drive around. Volunteers wore a headband contains either a magnet or a piece of brass, then had to guess and mark on a clipboard oriented towards the front of the coach which way was north and which way was the university.
I'm not sure what the results are looking like.
I can think of a certain basement area next to the Thames that's been flooded in the last 20 years. But that was down to a large water main running parallel to the river cracking open and the water finding its way through the ancient, long since covered and built upon, tributaries of the Old Father.
I don't know if it houses a DC or not; I suspect it does.
Hey, I laid the same shit, bro. That AND 10Base-5. Even less bendy, and required vampire taps about the size of a single volume of the Encyclopaedia Britannica. That was for a cluster of Vax/VMS machines. For DECNET I believe they called it. That, too, was so long ago it has been swept into a dusty corner of my mind.
Face ID might just be worthwhile then. Using camera and integrating calendar and some kind of dropbox programme built into a school management tool (anyone remember PowerSchool?) along with on-prem cloud storage that doesn't rely on a good external 'net link.
"Hello Bethany! Your timetable says that you are supposed to be in Art class now. I see you haven't finished your art drawing yet and submitted it to Miss Jerrard. Is that what we will be doing now?"
People are fascinated by the BS Proofreader's Marks chart I have on my office wall. I rescued it from my last job in a print training place - found a load in an old store room. I don't think many people in scientific publishing now realise it was a job people had and how regulated it was, with a language all of its own.
I've often thought that date sanity checking would be a valuable addition to spelling and grammar checking tools. The number of times I've had documents and emails coming through with days and dates not matching... e.g.
Your vehicle's annual service falls due on Wednesday 29th March 2018. To maintain your warranty... Yes, you've simply incremented the year by one on last year's letter, you muppet. Do you mean Thursday 29th March, or Wednesday 28th March? Don't make me guess! Or...
See you next Monday (the 3rd), then. So, do you mean April the 2nd (next Monday), April the 3rd (it's a Tuesday), or do I wait until September, which is the next time that Monday falls on the 3rd?
A simple sanity check for dates would save so much grief!
@Alan Brown.
It wasn't a point of view, it was a fact of law. You can check it out in The Zebra, Pelican and Puffin Pedestrian Crossings Regulations and General Directions 1997 if you want. Or look in the Road Traffic Act 1991.
If you want to cross the road and you use a couple of parked cars as a shield, then you're stood in the road, but you still have to wait until the road is clear if you want to cross safely. Drivers do NOT have to stop to let you cross in that situation.
Precedence and priority are the terms used in the applicable law, not "right of way". I wasn't condoning knocking people over, just correcting a misunderstanding. Pedestrians do not have automatic priority just because they step into the road. If anything people who think that is the case, as pedestrians, are a danger to themselves and other road users.
I'm thinking of creating a service, via an app, where one can quickly and simply call on a less regulated, sort of community based, bandwagon. It will be cheaper and easier than existing bandwagon boarding, providing a challenge to the established norms. And you won't be obliged to pay for hidden extras like pitchforks and burning torches either unless that's a service that you particularly want, where other micro-operators will step into the market gap as a complimentary service provider.
It always confused me too. You watch Columbo or Starsky and Hutch or NCIS or anything like that, and the police protagonist is forever nipping across the road to have a word with the officers or agents sat in a sedan on surveillance opposite an apartment block. Surely that's jaywalking! Or does it only apply to some designation of road above a certain threshold like the UK's A road, B road and unclassified?
To the phantom thumb downers... a "right of way" is a legal term meaning [from Black's] "The right of passage or of way is a servitude imposed by law or by convention, and by virtue of which one has a right to pass on foot, or horseback, or in a vehicle, to drive beasts of burden or carts, through the estate of another." and "'Right of way', in its strict meaning, is the right of passage over another’s ground; and in its legal and generally accepted meaning, in reference to a railway, it is a mere easement in the lands of others, obtained by lawful condemnation to public use or by purchase."
That is to say that for a public road, vehicles and pedestrians both have rights of way.
The term you are thinking of is "priority", which applies only at junctions. If pedestrians simply had priority by virtue of putting their foot on the road, then we wouldn't need zebra crossings, would we?