[Pdns-users] New (in PowerDNS): ipcipher

[bert hubert]

Hi everyone,

tl;dr - today (Sunday) at 17:40 CET / 08:40 PST you can watch me present
about 'ipcipher', a method for encrypting IP addresses to enhance user
privacy, at the NDSS DNS Privacy Workshop through:
https://www.ndss-symposium.org/dns-privacy-workshop-programme/
We'd love to hear your thoughts.

Longer story:

PowerDNS has long included the 'dnswasher' tool which strips customer IP
addresses from PCAP files. The idea is that this allows operators to send us
traces we can analyse, without us seeing actual IP addresses.

A problem with 'dnswasher' however was that translating back to original IP
addresses was very hard. So let's say we did find what (stub) resolver was
causing problems, it was quite a puzzle for the owner of the data to find
out who that actually was.

In may 2017, we wrote about a solution for this problem here
https://medium.com/@bert.hubert/on-ip-address-encryption-security-analysis-with-respect-for-privacy-dabe1201b476
In short, this detailed how one can encrypt and decrypt IP addresses.

Later we found out there was more involved into how to do this correctly. We
also learned that the new EU GDPR privacy regulations specifically recommend
'pseudonyzing' user data this way before analysis. 

A subsequent specific customer request spurred the writing of the 'ipcipher'
specification which allows for interoperable encryption of IP addresses.
This specification can be found on https://powerdns.org/ipcipher/

This code has also been added to 'dnswasher', which can now be run like
this:

$ dnswasher -p "supersecret2018" in.pcap encrypted.pcap
$ dnswasher -d -p "supersecret2018" encrypted.pcap decrypted.pcap

This will reconstruct 'decrypted.pcap' which is identical to 'in.pcap'. 

I will present about 'ipcipher' today (Sunday) at 08:40 PST / 17:40 CET to
the NDSS DNS Privacy Workshop Programme, you can view this live on:
https://www.ndss-symposium.org/dns-privacy-workshop-programme/

Your comments are more than welcome!

	Bert