DNS DATA SHARING (OR NOT)

Stéphane Bortzemeyer & Nathalie Boulvard

Summary

1. Technical aspects

1.1. The problem

1.2 The queries contain

1.3 The data is useful

1.4 Anonymization is the solution?

2. Legal aspects

2.1. The issues

2.2. The texts contain

2.3. The contract could be useful

2.4 Anonymization is the solution?

3. Tour de table - Debate

Questions

2

1. Technical aspects

3

1.1 The problem

We operate DNS servers They receive queries They send responses

Very often, we record the DNS traffic (security incident analysis, business intelligence, statistics, etc.). Often called a « pcap file »

4

1.2 The queries contain

Example: « 2001 : 660 : 3003 : 8 : : 4 : 69 » asked for the IPv6 address of www.impots.gouv.fr

The source IP adress of the resolver (not the end user’s machine). Typically a big machine at the IAP. But not always.

The complete name requested (do not believe the CENTR video, it is wrong). We see requests for

_bittorrent-tracker._tcp.XXXX.abo.wanadoo.fr

5

1.3 The data is useful…

…and many people are interested. Can we share it?

DITL http://www.caida.org/projects/ditl/OARC https://www.dns-oarc.net/

Is it personal data? For some requests, clearly yes, for some, clearly no and the rest is in between.

6

1.4 Anonymisation is the solution? We could « anonymyze » (to replace the IP adresses by

a dummy value) Anonymization deletes data (bad for researcher) Anonymization is never perfect (data crunchers know

how to get some information back)

7

2. Legal aspects

8

2.1 The issues

Companies’ rights and interests• Reputation

Individuals’ rights• Personal data - Sensitive data

9

2.2 The texts contain

Under the European rules• The European Union adopted its “data protection

directive” (directive 95/46) on October 24, 1995.

• National independent authorities (CNIL for France) & the “Article 29 Working Party”

• Reform of the data protection EU legal framework (to follow up)

Under the International rules

10

2.3 The contract could be useful……but not only. Can we share?

DITL http://www.caida.org/projects/ditl/OARC https://www.dns-oarc.net/

An example : the OARC Participation Agreement.

11

2.4 Anonymisation is the solution? Well… yes:

No personal data anymore So, No more legal issue!

But as anonymization is never perfect… Let’s carry on with a debate!

12

3. Tour de table - Debate

13

Questions

14

Are you interested in following up this discussion?If yes, how?

Do you think that this entire issue is worth a debate?

If no, why? If no, why?

www.afnic.fr contact@afnic.fr

Twitter : @AFNICFacebook : afnic.fr

www.afnic.fr contact@afnic.fr

Twitter : @AFNICFacebook : afnic.fr

Thank you!