Privacy paradox
===============
One of the big paradoxes in the actual internet seems to be that if
you try to protect your privacy from GAFAM and Internet Providers,
you expose yourself more to everyone else.
A decade ago, under the influence of people like Benjamin Bayart[1],
I decided to host the services I used in my house, on my server. I
began with a webserver and a files synchronization service with SSH
and Unison. A mailserver, an XMPP server and an Owncloud server came
quite quickly and I felt happy with them.
But dealing with a mailserver is not really a piece of cake and it
needed a lot of improvements to be really usable to mail people using
GAFAM: reverse DNS, SPF and DKIM for example.
As I wanted a mail with my last name as domain, I had to link my IP
at home to my last name for the reverse DNS, which means that
everyone can know guess my name when I connect to a webserver from my
house. No anonymity anymore.
To navigate, I didn't like the idea of using the DNS resolver
of my Internet Provider. In France, they are used to censure
administratively sites without warning, which I judge a very bad
policy. And your Provider can know almost everything about your
navigation, without any Deep Packet Inspection: your DNS requests are
enough. That is why I built an Unbound server with DNSSEC enabled and
used it from my house.
But the problem is perhaps worse here: now everybody who listen the
DNS traffic near the DNS Roots can know the requests I make with this
linked to my name IP address.
In a way, your anonymity is better protected when you use a Windows
computer with standard tools: you are lost in the big data. Companies
can still register a lot about you, but not your name if you don't
use it.
For this DNS issue, I recently discovered the Stubby project[2]. You
renounce to resolve yourself the DNS, but your queries are encrypted
via TLS till a resolver without log. You have to trust them, but if
they act like they say, your DNS requests don't leak anymore. You can
enable DNSSEC and the answers are not under the power of the french
government.
As these requests are slower than local ones to a self-hosted server,
you can improve the resolution by caching results in the local
unbound server.
The DNS-over-HTTPS integration in Firefox shows that DNS encryption
will soon be a default configuration, as HTTPS has become.
[1]
https://www.fdn.fr/actions/confs/internet-libre-ou-minitel-2-0/
[2]
https://dnsprivacy.org/wiki/display/DP/About+Stubby