document DNS discovery/registration procedures in the security section

[anarcat]

Currently, the security FAQ does not mention anything about DNS discovery. There's some mention that others in your swarm may know what you download, but those privacy concerns are always toned down by the "key requirement":

Users only connect to other users with the same dat link. Anyone with a dat link can see other users that are sharing that link and their IP addresses.

The document then links to this blog post which explains the various "reader privacy" tradeoffs in p2p architectures, but never explicitly mentions DNS discovery problems in themselves.

I've documented briefly my concerns with the protocol in this review of the protocol, but I will try to explain them here in the form of a Q/A so it can be adapted in the documentation.

Can others see what I do on the Dat network?

When content is shared with Dat, it gets announced on the Mainline DHT, a custom DNS server operated by the Dat project and multicast DNS. Those peer discovery mechanisms all have various tradeoffs that will reveal information to a third party in various ways.

• the DHT discovery will share information with a global swarm of machines operating the DHT. The swarm is decentralized so it is more difficult for an individual attacker to identify patterns but an attacker with a global view of the network might be able to establish correlations between users
• the Dat project running or whoever is contacted through the custom DNS discovery can establish directly when content goes online, from where, who is looking for it, and establish direct correlations between users
• multicast DNS discovery usually operates on the local network, which means an attacker would need to be on the local network to get information about traffic. since that information would be available through other means, no additional privacy concerns are raised here.

In other words, by using the custom discovery DNS mechanism, you are trusting the Dat project to a certain extent.

This could certainly be improved, but I figured I would start with something to get the ball rolling and have a better idea of what I am getting at here.

Thanks!

[bnewbold]

I think this is an important addition. I think the DNS concerns haven't been addressed very publicly because the informal plan has been to move to an improved DHT or gossip protocol or whatever better thing ASAP, but it has been a long time and we should acknowledge existing behavior.

Would title this "Can others see who I connect to on the Dat network?", as the scope here is discovery and not ISP-style surveillance.

Second point: "the operators the custom DNS discovery servers (the Dat project and a small number of trusted institutions) [...]"

The term I have used is "centralized DNS", not "custom DNS". The former probably sounds redundant to a technical person (like "ATM Machine"), but communicates that it's not a distributed system, while also hinting that it isn't regular (hierarchical) DNS.

What do other think? I can create a PR.

[anarcat]

i think "centralized DNS" is confusing. it's a misnomer: DNS is distributed by default and even here it's not necessarily centralized - you could run your private one, actually. i think "custom DNS" outlines it's not just any DNS server that can be used, as it need to accept registrations and does some validation on its own. this could be outlined better with "dynamic DNS" but maybe at this point we just drop the qualifier and talk about the "DNS servers" instead of trying to describe too many things at once...

[okdistribute]

Yes this sounds good, please open a pull request (if you haven't already) and we can get it approved.

[okdistribute]

+1 to just talk about DNS servers