🔒 DNS encryption is gaining momentum with proposed standards such as DoT, DoH, and DoQ protecting DNS exchanges from external observers. One key piece? Discovery of Designated Resolvers (DDR) — a mechanism that lets clients learn the encryption settings of recursive resolvers. For RIPE Labs, Yevheniya Nosyk looks at DDR in action and how it’s being deployed in the wild: https://lnkd.in/e2e_mpjg With contributions from Andrzej Duda and Maciej Korczynski
RIPE NCC’s Post
More Relevant Posts
-
Partner & Consultant Solicitor, specialising in online financial services, e-commerce, data protection and IT in the UK and Ireland/EEA
The UK Information Commissioner clearly had a miserable summer. Here's the final, updated practical guidance on how to implement encryption as an effective 'technical measure' to protect personal information from being lost, stolen, or subject to unauthorised access. https://lnkd.in/e6TfFCxd
-
A malicious Go module disguises as an SSH brute-force tool, scanning IPv4 for weak credentials, disabling host key verification, and exfiltrating stolen data via Telegram bot using HTTPS traffic. #SSHAttack #GoModule #TelegramBot link: https://ift.tt/uUj3w4i
-
-
Combining Temp Mail with VPNs + encryption is the silent shield smart users need, this blog shows you how to stay truly anonymous online. 🔗 https://lnkd.in/dFPC_Vvt
-
Pryvaye Messenger uses Ephemeral Per-Session Key Exchange Pryvate uses ephemeral key exchange protocols, generating unique encryption keys for every session, ensuring that each call, message, or file transfer is protected with fresh cryptographic material. This prevents retrospective decryption, even if a previous session key were compromised.
-
📥 Download the threat report to uncover the full scale of Soco404's DNS infrastructure ->> https://lnkd.in/eGG4nbh5 The #Soco404 cryptomining campaign hid payloads inside fake 404 error pages on Google Sites. WhosisXML API expanded 9 #IoCs and uncovered 9500+ #DNS artifacts, including domains, IPs, and email infrastructure potentially linked to this stealthy operation. Alarmingly, 16 of these artifacts have already been weaponized. These traces may already be crossing your network, are you looking?
-
-
📥 Download the threat report to uncover the full scale of Soco404's DNS infrastructure ->> https://lnkd.in/eGG4nbh5 The #Soco404 cryptomining campaign hid payloads inside fake 404 error pages on Google Sites. WhosisXML API expanded 9 #IoCs and uncovered 9500+ #DNS artifacts, including domains, IPs, and email infrastructure potentially linked to this stealthy operation. Alarmingly, 16 of these artifacts have already been weaponized. These traces may already be crossing your network, are you looking?
-
-
Stateless forwarding + end-to-end encryption = nothing for adversaries to seize, nothing for auditors to question. See the numbers in our latest policy analysis. Read the brief: https://hubs.ly/Q03F5zCQ0
-
-
Data sovereignty is no longer a paperwork exercise—it is an engineering challenge. With Graphiant, sovereignty is built into the packet path itself. Read the full brief to see how a stateless core, precise routing, and real‑time audit together set a new baseline for secure cross‑border connectivity.
Stateless forwarding + end-to-end encryption = nothing for adversaries to seize, nothing for auditors to question. See the numbers in our latest policy analysis. Read the brief: https://hubs.ly/Q03F5zCQ0
-
-
Mis-issued TLS certificates for 1.1.1.1 could allow attackers to intercept and alter Cloudflare DNS traffic, exposing flaws in the Certificate Authority system and certificate transparency protocols. #DNSsafety #PKIweakness #USA link: https://ift.tt/d0bJmWv
-
Networking protocol technologist
1wUPDATE: original comment remains here, but see my reply below. I really like the data analysis, thank you for publishing this. However, I have to be pedantic point out that this statement is misleading: "the great majority of resolvers designate one of the top 5 operators, " The act of designating only applies to an unencrypted resolver designating an encrypted resolver as its equivalent. This method (RFC 9462 section 4) does not permit a resolver to "designate one of the top" because the security check will fail: the destination resolver has to demonstrate control over the original IP address. The other mechanism we defined (section 5) you accurately describe early in the post, but I think is being referred to as designation in the quote above when it is just discovery. If you query 8.8.8[.]8 over DoH for one[.]one[.]one[.]one's encrypted DNS config using DDR, that isn't 8.8.8[.]8 designating to 1.1.1[.]1. This is broken down in the final paragraph of RFC 9462's introduction. In short: DDR doesn't enable centralization. Analyzing it may reveal DNS usage centralization (because most lookups of configuration are for only the big resolvers), but random resolvers cannot designate one of the big resolvers in their own place.