Privacy paradox
===============

One of the big  paradoxes in the actual internet seems  to be that if
you try  to protect your  privacy from GAFAM and  Internet Providers,
you expose yourself more to everyone else.

A decade ago, under the  influence of people like Benjamin Bayart[1],
I decided to  host the services I  used in my house, on  my server. I
began with a  webserver and a files synchronization  service with SSH
and Unison. A mailserver, an XMPP  server and an Owncloud server came
quite quickly and I felt happy with them.

But dealing with  a mailserver is not  really a piece of  cake and it
needed a lot of improvements to be really usable to mail people using
GAFAM: reverse DNS, SPF and DKIM for example.

As I wanted a  mail with my last name as domain, I  had to link my IP
at  home to  my  last name  for  the reverse  DNS,  which means  that
everyone can know guess my name when I connect to a webserver from my
house. No anonymity anymore.

To  navigate, I  didn't  like  the idea  of  using  the DNS  resolver
of  my  Internet  Provider.  In  France, they  are  used  to  censure
administratively  sites without  warning, which  I judge  a very  bad
policy.  And your  Provider  can know  almost  everything about  your
navigation, without any Deep Packet Inspection: your DNS requests are
enough. That is why I built an Unbound server with DNSSEC enabled and
used it from my house.

But the problem  is perhaps worse here: now everybody  who listen the
DNS traffic near the DNS Roots can know the requests I make with this
linked to my name IP address.

In a way,  your anonymity is better protected when  you use a Windows
computer with standard tools: you are lost in the big data. Companies
can still register  a lot about you,  but not your name  if you don't
use it.

For this DNS issue, I  recently discovered the Stubby project[2]. You
renounce to resolve yourself the  DNS, but your queries are encrypted
via TLS till a  resolver without log. You have to  trust them, but if
they act like they say, your DNS requests don't leak anymore. You can
enable DNSSEC and  the answers are not under the  power of the french
government.

As these requests are slower than local ones to a self-hosted server,
you  can improve  the  resolution  by caching  results  in the  local
unbound server.

The DNS-over-HTTPS  integration in Firefox shows  that DNS encryption
will soon be a default configuration, as HTTPS has become.

[1] https://www.fdn.fr/actions/confs/internet-libre-ou-minitel-2-0/
[2] https://dnsprivacy.org/wiki/display/DP/About+Stubby