On Thu, Jan 26, 2012 at 10:42:53PM +0100, Ondrej Mikle wrote:
I decided to give it a shot in implementing full DNS/DNSSEC resolution support for Tor, here's the branch:
ATM the biggest limitation is that reply DNS packet must fit in a single cell (i.e. max size is RELAY_PAYLOAD_SIZE).
Hi Ondrej,
Neat stuff! It's always nice to see people show up with patches.
So it looks like Tor would get two new libraries linked in, and exit relays would inherit whatever security/stability issues libunbound has since clients can basically hand them packets that they have to parse and deal with.
How to handle more of the dns protocol has always been a messy design question for Tor. More people are getting interested in it as we add more ipv6 support.
The previous hack recommendation had been for the client to use ttdnsd to run dns queries as normal Tor TCP flows: https://gitweb.torproject.org/ioerror/ttdnsd.git https://gitweb.torproject.org/ioerror/ttdnsd.git/blob_plain/HEAD:/README.Tor... which resolves the "what about answers bigger than Tor's cell size" question, as well as the "are we really sure we want a whole dns server implementation inside Tor" question, but leaves such niggling issues as "so do you direct the streams to 8.8.8.8, or what?" It also has the advantage that 8.8.8.8 runs a single known version of its nameserver, rather than a collection of exit relays that each offer whichever version they linked.
What do you think about the tradeoffs here? I'd like Tor to support more of dns, but I also think it's important to avoid needing exit relays to know all the details.
--Roger