<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>From my point of view its much more helpful to run an DoH (or
DNSCrypt, DoT if you like) client on an exit and randomly
distribute requests to a set of DoH/DNSCrypt/DoT-Servers to hide
the actual DNS Requests an exit is doing from an adversary which
might use this information for correlation. </p>
<p>As the requests are randomly distributed between a set of servers
this additionally fixes the problems of a single entity
answering/monitoring all DNS requests.</p>
<p>Unfortunately root servers doesn't support encrypted DNS (except
of openNIC but I dont think they are not an option for a general
recommendation because only 9 servers are currently supporting
encryption).</p>
<p>BUT: By using for example the list of encrypting dns servers and
dnscrypt-proxy the dnscrypt project is offering it would be easy
to implement a huge set of relays using a random set of DoH or
DNSCrypt enabled dns servers. <br>
</p>
<p>Regards,</p>
<p> flux</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 3/5/20 3:45 PM, Alec Muffett wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAFWeb9LQaOWAqpZ_hTsO55EVghZ0+nPc0enkB+O7ciOcsF=chQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 5 Mar 2020 at
14:37, Iain Learmonth <<a
href="mailto:irl@torproject.org"
moz-do-not-send="true">irl@torproject.org</a>>
wrote:</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
On 05/03/2020 14:20,Nathaniel Suchy wrote:<br>
> It’s not a threat model issue.<br>
<br>
Who gets to see Tor users DNS requests is exactly a
threat model issue.<br>
</blockquote>
<div><br>
</div>
<div>Concur. That is exactly the reason that I am asking
clarification of Nathaniel's perspective, here.</div>
<div><br>
</div>
<div>I'm currently doing some research on the area, and am
particularly interested in which/all of Nathaniel is
concerned by:</div>
<div><br>
</div>
<div>1/ blocking of Tor-users' DNS requests</div>
<div>2/ tampering with Tor-user's DNS requests</div>
<div><span style="color:rgb(0,0,0)">3/ surveillance of
Tor-users' DNS requests</span></div>
<div><span style="color:rgb(0,0,0)"></span>4/ *corporate*
surveillance of Tor-users' DNS requests</div>
<div>5/ other...</div>
<div><br>
</div>
<div>Because if Nathaniel is primarily interested in 3 and
4 from that list, then this is a particularly
interesting video to watch (cued up to 0:33 for
convenience)</div>
<div><br>
</div>
<div> <a
href="https://www.youtube.com/watch?v=FrGZczZ8tyU&t=0m33s"
moz-do-not-send="true">https://www.youtube.com/watch?v=FrGZczZ8tyU&t=0m33s</a><br>
</div>
<div><br>
</div>
<div>...and which, with a little reflection regarding the
"anonymity loves company" philosophy of Tor, suggests
that the solution might in part be MORE AND PRIVATE use
of "big" resolvers... because the little ones are just
as much, perhaps more of a risk.</div>
<div><br>
</div>
<div> -a</div>
<div><br>
</div>
</div>
-- <br>
<div dir="ltr" class="gmail_signature"><a
href="http://dropsafe.crypticide.com/aboutalecm"
target="_blank" moz-do-not-send="true">http://dropsafe.crypticide.com/aboutalecm</a><br>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
tor-relays mailing list
<a class="moz-txt-link-abbreviated" href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.org</a>
<a class="moz-txt-link-freetext" href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a>
</pre>
</blockquote>
</body>
</html>