digraph odns { bgcolor=transparent; // size=8; subgraph cluster_ISP { label="(bad) ISP" client } subgraph cluster_OVH { label="OVH" "popho\.be" } subgraph cluster_outside { label="not too wild internet" "TRR" "root server" "TLD server" } subgraph cluster_authoritative { label="wild internet" "authoritative server" } edge[weight=10 fontsize=10]; client -> "popho\.be" [label="HTTPS to TRR" color=green fontcolor=green arrowhead=none] "popho\.be" -> TRR [label="HTTPS to TRR" color=green fontcolor=green] edge[weight=5 color=red fontcolor=red]; TRR -> "root server" [label="domain"] TRR -> "TLD server" TRR -> "authoritative server" edge[weight=1 color=blue dir=none]; node[shape=note color=blue fontcolor=blue]; "client's identity is hidden,\nonly sees popho.be" -> TRR "client's identity is hidden,\nonly sees popho.be" -> "TRR does domain requests, but is\nless subject to spying and manipulation" [style=invis] "TRR does domain requests, but is\nless subject to spying and manipulation" -> TRR TRR -> "TRR does domain requests, but is\nless subject to spying and manipulation" [style=invis] "client's queries are encrypted,\ncan't read" -> "popho\.be" }