-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Tyrano,

Thank you for your feedback. However, I'm not sure I fully understand your questions.

Under my proposal, at least at this moment, if a domain ends with .tor (regex match) it is the human-name for a Tor hidden service and requires translation. The .tor domain, like .onion and the obsolete .exit, cannot be reached from outside Tor and will case an immediate DNS failure on the clearnet DNS system. As far as I know, the .tor domain is not in use in the clearnet, so I think I am safe in using it. If the .tor cannot be found, I don't like the idea of retrying it on the clearnet through the Tor exit, that just leaks the lookup and your objective too many times. If you are looking up X.tor, it's quite likely that you're interested in browsing X.tor, and that is a small compromise of your privacy. Leaking the .tor lookup on clearnet DNS servers also introduces a small possibility for timing attacks.

On a different note, I'm sorry about the malformatting and the bad signature on my opening post. I'm not sure what happened there, but nothing other than formatting was amiss.

- -- Jesse V. /CS, Network Security/ /Utah State University/

On 08/01/2014 03:39 AM, Tyrano Sauro tyranosu@yahoo.co.nz wrote:

Can we know a DNS for the normal HTTP of a hidden service? If the onion hidden name cannot reach from outside of Tor then maybe use that?