On 8 Oct 2017, at 16:24, Ralph Seichter m16+tor@monksofcool.net wrote:
who is aware of the query is not all that matters ; the apparent origin of the query also matters, depending of the position of the attacker.
Sure, but keep in mind: Even if an attacker could gain access to all root zone servers, he could not see the necessary follow-up queries on TLD level (e.g. country domains, or .com, .net, etc.) and beyond. If I looked up host.somedomain.fr, a root zone snoop might show my interest in a French domain, but nothing else.
This is only true if your resolver implements QNAME minimisation: https://tools.ietf.org/html/rfc7816
Currently, when a resolver receives the query "What is the AAAA record for www.example.com?", it sends to the root (assuming a cold resolver, whose cache is empty) the very same question. Sending the full QNAME to the authoritative name server is a tradition, not a protocol requirement.
Does the version of the recursive resolver you're using do this?
Or does it send only the minimal name required?
T