[sclug] Odd behaviour from OpenDNS?

Dickon Hood dickon-ml at fluff.org
Mon Jul 23 18:04:16 UTC 2012

On Sun, Jul 22, 2012 at 14:36:05 +0000, Ed Davies wrote:

: Frankly, though, I don't see much point to not using the
: ISP's DNS unless they're playing around in ways you don't
: like.

Absent DNSSEC (and currently we are), you can't even tell.  This is a bit
of a problem.  As you can't be sure nobody's fiddling with UDP port 53
traffic, the truely paranoid will want to funnel all DNS over some form of
VPN to a machine somewhere they know isn't having its traffic interfered
with.  No, I don't know where you're going to find one of those.

: In particular, I can't see any privacy advantage.

I can.  I don't believe it's much of a problem (mostly because by default
bind9 doesn't log successful queries), but possibly some do.

: Anything you access with HTTPS will tend to have a unique
: IP address, won't it?

Not necessarily.  Likely, yes, but not necessarily.  It's quite possible
to have an HTTPS-hosted site on :443, with a collection of vhosts on :80
that may or may not have anything to do with the secured one.  I run a
couple of machines in just that state; it's helpful.  There is also a
mechanism for clients to notify the server which site it's interested in
before the certificate checks are done, but I don't know if anyone
implements it yet.  Either way, what holds *now* might not in the future.

: However, accessing Pirate Bay on
: principle, even if you'd not normally go anywhere near it,
: does have some appeal.

The Pirate Party UK has a portal to it.  I doubt that's been taken down,
although they may well end up the recipients of a C&D from the appropriate

Dickon Hood
Due to the proliferation of 'Sent from my $device' disclaimers, my .sig is
temporarily unavailable.  Normal service will be resumed as soon as possible.
We apologise for the inconvenience in the meantime.

This email was sent from a colocated server, and needs no excuses.

More information about the Sclug mailing list