Zum Inhalt der Seite gehen

mastodon - Link zum Originalbeitrag

🇩🇪Den EU-finanzierten DNS-Dienst #DNS4EU kann ich nicht empfehlen, weil Zugriffe protokolliert werden - bei "schädlichen Inhalten" sogar mitsamt IP-Adresse. techradar.com/vpn/vpn-privacy-…

Es gibt gute nichtstaatliche Alternativen: privacy-handbuch.de/handbuch_9…

Update: Es scheint, die IP-Speicherung erfolgt im o.g. Fall für 24 Stunden, damit die Warnung vor den Inhalten nicht immer wieder angezeigt wird.

Screenshot der Policy: "In case the User uses DNS resolution service with one of the additional optional flavors, the service notifies the User he/she is going to access a potentially malicious, illegal or otherwise harmful website (a landing page pops up). If the User decides to attend the website anyway, in such a case the User's IP address is stored by the DNS resolver for up to 24 hours in order to identify the User and not block the access."

The EU challenges Google and Cloudflare with its very own DNS resolver that can filter dangerous traffic

The DNS4EU remains voluntary, but some experts still warn of potential risks
Chiara Castro (TechRadar)
#DNS4EU
Dieser Beitrag wurde bearbeitet. (1 Tag her)
Als Antwort auf Patrick Breyer

Patrick Breyer
mastodon - Link zum Originalbeitrag
Patrick Breyer

🇬🇧I can't recommend the EU-funded DNS service #DNS4EU because access is logged. When you override warnings to access "harmful websites" they even log your IP address. techradar.com/vpn/vpn-privacy-…

There are government-free services that do not log: privacyguides.org/en/dns

Update: I understand now the IP address is kept for 24 hours to prevent the confirmation prompt from showing again.

Screenshot of policy: "In case the User uses DNS resolution service with one of the additional optional flavors, the service notifies the User he/she is going to access a potentially malicious, illegal or otherwise harmful website (a landing page pops up). If the User decides to attend the website anyway, in such a case the User's IP address is stored by the DNS resolver for up to 24 hours in order to identify the User and not block the access."

The EU challenges Google and Cloudflare with its very own DNS resolver that can filter dangerous traffic

The DNS4EU remains voluntary, but some experts still warn of potential risks
Chiara Castro (TechRadar)
#DNS4EU
Dieser Beitrag wurde bearbeitet. (1 Tag her)
Als Antwort auf Patrick Breyer

indyradio
mastodon - Link zum Originalbeitrag
indyradio
Nice investment in surveillance and control. 💰 💰 ➡️ 🚽
There was a really bad movie made in the US called
"Ursula: She Wolf of the S.S."
oh, oops, it was actually
"Ilsa, She Wolf of the SS."
So Sorry about that confusion there. 😜 🤣
Als Antwort auf Patrick Breyer

Frehi
mastodon - Link zum Originalbeitrag
Frehi

I'm much more concerned by DNS4EU keeping logs of all DNS requests for up to 6 months, with an identifier for every /24 subnet which changes only every 24 hours. And this in hands of a private company.

Nice trove of data which you can correlate easily and surely the domain names will give lots of information about who is behind the identifier.

The question of the Quad9 CTO at the end is spot on: youtube.com/watch?v=rXpyUkBOw3…


DNS4EU for Public anonymization

Robert Šefrhttps://indico.dns-oarc.net/event/51/contributions/1094/DescriptionDNS4EU service for public is committed to provide services anonymously and at t...
YouTube
Als Antwort auf Patrick Breyer

Malte Engeler
mastodon - Link zum Originalbeitrag
Malte Engeler
I find it worrying that "government-free" seems to be a feature in your statement. At least in theory services that are democratically governed should be framed as a goal not something to be avoided, no?
Dieser Beitrag wurde bearbeitet. (2 Tage her)
Als Antwort auf Malte Engeler

Frehi
mastodon - Link zum Originalbeitrag
Frehi
In my opinion a problematic thing is that DNS4EU is actually not really government managed but is managed by a private company (Whalebone). This company has access to the logs containing all DNS queries, and use this information for security research improving their commercial offerings.. Quad9 and DNS0 are at least managed by independent foundations and only share much more limited data with their security providers.
Dieser Beitrag wurde bearbeitet. (2 Tage her)
Als Antwort auf Malte Engeler

Ralf Bendrath
mastodon - Link zum Originalbeitrag
Ralf Bendrath
@malteengeler "government-free" = "does not contrain traces of state surveillance". I hope you both can agree on that.
@Malte Engeler
Als Antwort auf Ralf Bendrath

Malte Engeler
mastodon - Link zum Originalbeitrag
Malte Engeler
@bendrath It depends very much on what you call surveillance. The EFF thinks that looking at a Blockchain to collect taxes from crypto gambling is "state surveillance"
@Ralf Bendrath
Als Antwort auf Malte Engeler

Ralf Bendrath
mastodon - Link zum Originalbeitrag
Ralf Bendrath
@malteengeler I don't see the link between a DNS service logging private user behaviour (bad) and the EFF or tax authorities looking at public blockchains (I could not care less).
@Malte Engeler
Als Antwort auf Malte Engeler

Dave
mastodon - Link zum Originalbeitrag
Dave

@malteengeler since we all know the track record of the current president of the European Commission, I'm unwilling to touch any DNS service operated by the EU with a 10 mile pole.

I haven't forgotten the dumb stop sign campaign, I'm aware of the EU's hate for encryption, so off is the general direction in which I wish them to fuck.

@Malte Engeler
Als Antwort auf Patrick Breyer

Arthur van der Harg
mastodon - Link zum Originalbeitrag
Arthur van der Harg
“Logging”? As I read it, getting a warning is a service that you opt in to. And if you do, the DNS records when you choose to access a site anyway and keeps that record for 24 hours. Perfectly normal, desirable even, because if it didn’t, you’d get the warning every time a hostname resolves to that IP address. That would be annoying.
Als Antwort auf Patrick Breyer

Terence Eden
mastodon - Link zum Originalbeitrag
Terence Eden

how would you implement a service which doesn't temporarily log an IP address in that case?

If I access badsite.example, and click through the warning, my browser will need to load multiple files from the domain. I can't click through a warning to download badsite.example/style.css

So it needs to know not to block me. How else would you do that other than by IP address?

Als Antwort auf Patrick Breyer

Martin Boller 🇬🇱 🇺🇦
mastodon - Link zum Originalbeitrag
Martin Boller 🇬🇱 🇺🇦
Or get your nearest geek to install a RDNS on your home network such as PiHole. DNS was built to be decentralized.
Als Antwort auf Patrick Breyer

Ben Tasker
mastodon - Link zum Originalbeitrag
Ben Tasker

That doesn't seem to say that they log the IP?

It sounds like they keep your IP* in memory so you don't get reprompted about a site that you've chosen to bypass warnings on.

IMO, that's a *good* thing because it means average consumers won't simply switch away from the service if it accidentally overblocks

*In fact, not your IP, they've gone to quite extreme lengths to anonymise - they're not just masking octets, it all gets HMAC'd with a rotating key: 142290803.fs1.hubspotuserconte…

Als Antwort auf Ben Tasker

Patrick Breyer
mastodon - Link zum Originalbeitrag
Patrick Breyer
@ben Ah, I understand now. Ok, that makes sense. But they could do better than storing plaintext IP addresses, no?
@Ben Tasker
Als Antwort auf Patrick Breyer

William Oldwin
mastodon - Link zum Originalbeitrag
William Oldwin
True anonymisation has to be irreversible. If they cache the client IP address in an irreversibly transformed way, they can't determine whether the new request IP address matches one that has previously clicked unblock. If they cache the IP in a reversibly transformed way, they may as well just store the address untransformed - the original address is available either way.
Als Antwort auf Patrick Breyer

Ben Tasker
mastodon - Link zum Originalbeitrag
Ben Tasker

What they're doing can only be achieved by storing some of kind of unique (and semi-persistent) identifier.

The only information available to them to identify the user is an IP, so whatever they do will always have to be derived from that - at a certain point, you're adding computational cost for no routine privacy benefit (where there is benefit though, is if that information somehow leaks).

I think they could do more, but they're also already well above most other providers

Als Antwort auf Patrick Breyer

Fink
mastodon - Link zum Originalbeitrag
Fink
When I select the “I don’t want X” variant, I definitely don’t want some mitm to allow me to still visit X 🙄
Als Antwort auf Patrick Breyer

KDSZ Bayern
mastodon - Link zum Originalbeitrag
KDSZ Bayern
Das mag ja sein, dass es technisch so abläuft. Aber bei diesem Dienst gilt immerhin die EU-Datenschutzgrundverordnung (DSGVO), so dass die kurzfristig gespeicherten Daten nicht verwendet werden dürfen.
Ich würde den guten Ansatz des Dienstes nicht gleich wieder verteufeln.
Als Antwort auf Patrick Breyer

DJGummikuh
mastodon - Link zum Originalbeitrag
DJGummikuh
wait to be fair das liest sich aber wie eine vernünftige Aussage. Hier wird von optionalen Diensten, die vor schädlichen Inhalten warnen sollen gesprochen, bei denen du dann einzelnle Seiten für dich whitelisten lassen kannst. Dass sie dafür deine IP speichern müssen (damit das Whitelisting funktioniert) erscheint absolut plausibel
Als Antwort auf Patrick Breyer

engmann
mastodon - Link zum Originalbeitrag
engmann
Bei „…Die Nachdenkseiten berichteten…“ habe ich aufgehört weiterzulesen. Wer Webseiten „empfiehlt“, wie dieses „privacy-handbuch.de“, dass auf solche Webseiten wie „Nachdenkseiten“ verlinkt und oder sich darauf bezieht, kann es ganz und gar nicht ernst meinen. Extrem unseriös somit dieses Handbuch. Sehr bedauerlich.
Als Antwort auf Patrick Breyer

Olli__KA
mastodon - Link zum Originalbeitrag
Olli__KA
Oh habe erst diese Woche diesen DNS installiert. Es ist immer blöd wenn Deutsch nicht in der Beschreibung der EU vorkommt. Aber gibt mir eine Alternative!?
Als Antwort auf Patrick Breyer

BjoernAusGE
gotosocial - Link zum Originalbeitrag
BjoernAusGE
das in der about page steht das der Dienst am besten noch 2025 kommerzialisiert werden soll um sich selbst zu tragen stimmt auch nicht zuversichtlich
Als Antwort auf Patrick Breyer

Jan Wildeboer 😷
mastodon - Link zum Originalbeitrag
Jan Wildeboer 😷
@isotopp As I use this with the unfiltered resolver, my IP address falls under 2.2 (i) and thus isn’t stored. The exceptions described here are a perfect description of how they implemented the dilemma of dealing with a user intended override. Blowing that up to surveillance insinuations seems disingenuous to me.
@Kris
Als Antwort auf Jan Wildeboer 😷

Patrick Breyer
mastodon - Link zum Originalbeitrag
Patrick Breyer
@jwildeboer @isotopp Right you are, I got that wrong. But they could do better than storing plaintext IP addresses, no?
@Jan Wildeboer 😷 @Kris
Als Antwort auf Patrick Breyer

Jan Wildeboer 😷
mastodon - Link zum Originalbeitrag
Jan Wildeboer 😷
Sure. They could/should store hashes only for this 24 hour window and maybe they do. It's hard to deduct the exact technical implementation from the T&Cs alone. Someone should ask them how this 24 hour window works and how privacy restrictions are implemented. I expect the data to be physically limited to the DNS resolver itself and not accessible directly from other machines/services. @isotopp
@Kris
Dieser Beitrag wurde bearbeitet. (1 Tag her)
Als Antwort auf Jan Wildeboer 😷

Christoph Petrausch
mastodon - Link zum Originalbeitrag
Christoph Petrausch

@jwildeboer that the logs are only on the resolver itself, is in any infrastructure not implemented like that. Usually you ha e a central log aggregation tool like Grafana Loki or the ELK stack.

However, given the rest of the amateur show, I doubt they have a central log aggregation infrastructure. @echo_pbreyer @isotopp

@Jan Wildeboer 😷 @Patrick Breyer @Kris
Als Antwort auf Christoph Petrausch

Jan Wildeboer 😷
mastodon - Link zum Originalbeitrag
Jan Wildeboer 😷

@hikhvar It's not about logs, it's about keeping IP addresses that have demanded an override for certain DNS blocks for 24 hours so they don't have to keep on telling the DNS resolver that they want to keep this override active.

And, FTR, I don't agree with you that this is an "amateur show".

@echo_pbreyer @isotopp

@Christoph Petrausch @Patrick Breyer @Kris
Als Antwort auf Patrick Breyer

🇺🇦🇪🇺 cweickhmann
qoto - Link zum Originalbeitrag
🇺🇦🇪🇺 cweickhmann
Das ist dasselbe, was die nichtstaatlichen als "threat monitoring" und "performance analysis" bezeichnen. Fußnoten 1 bis 6 im verlinkten Artikel. 🤷
Und es bezieht sich nur auf die Flavours. Der Grunddienst ist von der Formulierung ausgeschlossen.
Als Antwort auf Patrick Breyer

Leeloo
mastodon - Link zum Originalbeitrag
Leeloo

There is no way for DNS to pop up a "landing page".

The whole thing smells.

Als Antwort auf Patrick Breyer

Martin Schröder
mastodon - Link zum Originalbeitrag
Martin Schröder
It's also not very European:
techlog.jenslink.net/posts/dns…

How much EU is in DNS4EU?

This is another post that started after several toots on mastodon. Most of the things presented here were already tooted by other people, but I think this is a good chance to write a mini tutorial about what to look at.
Techlog