Passive DNS

[paulehoffman]

From Paul Vixie:

Current:

   Passive DNS:  A mechanism to collect large amounts of DNS data by
      storing DNS responses from servers.  Some of these systems also
      collect the DNS queries associated with the responses; this can
      raise privacy issues.  Passive DNS databases can be used to answer
      historical questions about DNS zones such as which records were
      available for them at what times in the past.  Passive DNS
      databases allow searching of the stored records on keys other than
      just the name, such as "find all names which have A records of a
      particular value".

Suggested:

   Passive DNS:  A mechanism to collect DNS data by
      storing DNS transactions from name servers.  Some of these systems also
      collect the DNS queries associated with the responses; done correctly,
      this raises no privacy issues.  Passive DNS databases can be used to answer
      historical questions about DNS zones such as which answers were
      witnessed at what times in the past.  Passive DNS
      databases allow searching of the stored records on keys other than
      just the name and type, such as "find all names which have A records of a
      particular value".

[paulehoffman]

These changes seem fine to me, except "this can raise privacy issues" to "done correctly, this raises no privacy issues".

[wessels]

I like all the changes suggested by Paul, except the one about privacy. Privacy is not so black-and-white that we can say there are no privacy issues (even if "done correctly").

[edmonds]

I'm not sure I see the linkage between collecting queries and responses (as opposed to collecting just responses) and privacy issues, either in the current or the suggested texts, because almost every response echoes back the query section.

Also, the second change ("responses" → "transactions") doesn't quite make sense because "responses" is used again in the second sentence:

A mechanism to collect ~large amounts of~ DNS data by storing DNS ~responses~ transactions from servers. Some of these systems also collect the DNS queries associated with the responses; […]

I also note that "transaction" already appears in RFC 7719 (in the definition of "OPT"), but it isn't defined.

[wkumari]

I don't think that I agree with "this raises no privacy issues" -- some folk seem to think that they can store "private" information in the DNS, and if queried for, this may / will expose it. Someone (I think it was Facebook or LinkedIn) creates (or used to create) a per-user DNS name for load-balancing purposes -- scraping passive DNS would allow someone to find many profiles, which could be viewed as a privacy issue.

I'd much prefer "done correctly, this raises minimal privacy issues" or "done incorrectly this can raise privacy issues" (or just skip everything after the semi-colon and say nothing).

I believe that passive DNS is incredibly useful for security stuff, I just think that saying that it raises no privacy issues could get sticky.

(Whoops, I said in the DNSOP thread that I'd commented here too, but apparently I'd forgotten to click the "Comment" button. Doing so just for tracking / completeness)

[edmonds]

It's not just a "some folk seem to think" problem. There are examples of malware that use DNS exfiltration to intentionally tunnel personal information, e.g. the "FrameworkPOS" malware encoded credit card track data into QNAMEs using a reversible encoding (https://www.anomali.com/blog/three-month-frameworkpos-malware-campaign-nabs-43000-credits-cards-from-poi).