Hello.
As we know, there is edns_client_subnet option available (since ver. 2.0.45 - if I remember correctly), that adds 'EDNS-client-subnet information to outgoing queries'. Default values are: ['0.0.0.0/0', '2001:db8::/32']. I would like to ask about situation where only IPv4 protocol is in use.
Dnscrypt-win-client by opendns. Windows front end for DNSCrypt Proxy Authors. Geoff (geoff@opendns.com) Contact. OpenDNS (billing@opendns.com) Download. With an open specification, DNSCrypt is an older, yet robust method for encrypting DNS. Anonymized DNSCrypt. A lightweight protocol that hides the client IP address by using pre-configured relays to forward encrypted DNS data. This is a relatively new protocol created in 2019 currently only supported by dnscrypt-proxy and a limited number of.
I've read RFC/IETF about 'EDNS Client Subnet' and now I feel stupid and lost. Generally, I think, that using '0.0.0.0/0' may not be a very good idea to prevent privacy 'leakage' (user IP address etc.) or maybe I'm wrong and that's a clever solution?
Dnscrypt-proxy Max_clients
So, what do you think about edns_client_subnet option? What IP address with subnet/prefix, should be used to achieve a better privacy? Is something like 198.51.100.0/24 a better choice, instead of the default address? However, '/24 prefix is only 256 IPs. This is very narrow and can be concerning for privacy'.
Or maybe Users should use their own IP address, provided by ISP, but in such format - with smaller prefix (so there should be more IPs than 256): 11.22.0.0/22 (that's only an example!).
Thanks, best regards.
____________________________________
For more information, please check:
Dnscrypt Client Mac
1/ RFC7871 - Client Subnet in DNS Queries (Security considerations)
2/ Cloudflare - possible solutions for the edns problem in 1.1.1.1
Dnscrypt Client Ubuntu
Last edited by ferrum (2021-07-26 10:42:16)