Open bortzmeyer opened 4 years ago
I feel DNS cookies are still relevant in this context, as they make it easier for a resolver operator to track users who are behind NAT. In particular, if you take a paranoid stance towards the big open public resolvers (Google, CloudFlare, Quad9), this is a technology they could theoretically make use of to better track their users.
Also see my note about DoH servers returning unique IPv6 addresses during the bootstrap process. This allows accurate fingerprinting without ECS or cookies.
"although DNS cookies and EDNS Client Subnet signaling have undermined this" The situation with cookies is quite different, since they are hop-by-hop, not transmitted to the authoritative server (note that DNS over TCP, a very old thing, has the same properties as cookies, for user tracking). I would remove the mention of DNS cookies.