On 08.10.17 21:40, jpmvtd261@laposte.net wrote:
Disclaimer : this is a (too) big email.
Seriously? Can you really not answer to individual messages? ;-)
it is not necessarily better to ask directly to a root name server.
Yes it is; for uncached lookups, one of the root zone servers must be involved anyway. As of today, that will be one of thirteen servers, and I'd be extremely surprised if an attacker could monitor them all.
who is aware of the query is not all that matters ; the apparent origin of the query also matters, depending of the position of the attacker.
Sure, but keep in mind: Even if an attacker could gain access to all root zone servers, he could not see the necessary follow-up queries on TLD level (e.g. country domains, or .com, .net, etc.) and beyond. If I looked up host.somedomain.fr, a root zone snoop might show my interest in a French domain, but nothing else.
If the attacker can listen the traffic between the exit node and the upstream resolver, I don't think contacting the upstream resolver directly is better than contacting it indirectly.
So what? If the attacker can hack your ISP's infrastructure to listen in, this whole discussion is academic. Otherwise, "the upstream resolver" varies with each individual query, unless one configures the upstream servers manually. Hence, leaving the local resolver to freely choose upstream servers is preferable.
-Ralph