Note: this post has been updated to fix a mistake in the knot-resolver configuration. The earlier version would not have provided the privacy it purported to. I regret the error.
Until yesterday I hadn’t thought too much about DNS metadata leakage. Here’s how it works: your computer sends out a request to resolve a DNS hostname, let’s say “topsecretwebsite.example,” and your DNS server responds back with its IP address in a way that’s easy to eavesdrop on. It’s wild that the Internet works like this by default.
What happened yesterday is a company called CloudFlare (a popular and free content delivery network) announced a new DNS service at the IP address
18.104.22.168. (Yes it launched on April 1, no it’s not a joke.) The service supports a couple of interesting privacy protecting options: DNS-over-HTTPS and DNS-over-TLS. Those technologies don’t guarantee your DNS lookups are accurate (check out DNSSEC for that), or that the DNS provider won’t someday betray you, they just make it’s harder to collect metadata by listening in on DNS’s cleartext port 53.
Tonight my first radio segment for Hudson Mohawk Magazine aired on WOOC 105.3 FM in Troy, NY. To provide some context on the public hearing, maybe I’ll just post the lead in script I provided for the hosts.
At Wednesday night’s Public Forum at the County Legislature, Troy residents Nora McDowell and Alexander Ferrer (FER-ERR) spoke out against the proposed 287(g) funding application that Sheriff Patrick Russo has sought from the Department of Homeland Security. Under the arrangement, Rensselaer County would be the first in New York State to collaborate with federal ICE agents. After the forum, WOOC reporter Dan Phiffer (FIE-FUR) spoke to County Legislator Peter Grimm.
You can also read more on no287g.com, a small website I created for the (cancelled) protest.