Hi Nick,
I've revised the DNS draft, attaching it. In section 4 there are some options for integration with libunbound, but each of them requires some work with the stock libunbound code.
Ondrej
Thus spake Ondrej Mikle (ondrej.mikle@gmail.com):
I've revised the DNS draft, attaching it. In section 4 there are some options for integration with libunbound, but each of them requires some work with the stock libunbound code.
I'm not a DNS expert, but I have a couple preliminary requests/questions.
First, can you provide a section in the proposal on the analysis of the number of round trips over Tor for different request scenarios? If you offload full DNS responsibility to the client, certain query behaviors are going to be better than others with respect to the number of round trips over Tor. We're going to want to minimize these round trips, especially if we decide we want to rely on DNSsec/DANE for everything. Clients may also want to use this information to try to intelligently decide cases where we don't want to do full DNSsec queries and revert to the oldstyle SOCKS4A.
Second (and related), is it totally insane to map some sort of magic IP to "foward this query the local exit node resolver" so that the client can easily get DNS(sec) perspectives from each exit node's resolver caches? This might both minimize round trips for clients who don't want to either hardcode 8.8.8.8 or do full recursive resolves against the root servers. On the other hand, it might complicate query handling on the exit side and also introduce weird cache/poisoning attacks?
These two areas are probably useful to describe in the proposal, since it or the spec it turns in to will presumably be read by random people looking to use the new full DNS support and who might do it wrong, either from a performance or a security perspective.
Filename: xxx-dns-dnssec.txt Title: Support for full DNS and DNSSEC resolution in Tor Authors: Ondrej Mikle Created: 4 February 2012 Modified: 19 August 2012 Status: Draft
- Overview
Adding support for any DNS query type to Tor, as well as DNSSEC support.
0.1. Motivation
Many applications running over Tor need more than just resolving FQDN to IPv4 and vice versa. Sometimes to prevent DNS leaks the applications have to be hacked around to be supplied necessary data by hand (e.g. SRV records in XMPP). TLS connections will benefit from planned TLSA record that provides certificate pinning to avoid another Diginotar-like fiasco.
DNSSEC is part of the DNS protocol and the most appropriate place for DNSSEC API would be probably in OS libraries (e.g. libc). However that will probably take time until it becomes widespread.
On the Tor's side (as opposed to application's side), DNSSEC will provide protection against DNS cache-poisoning attacks (provided that exit is not malicious itself, but still reduces attack surface).
- Design
1.1 New cells
There will be two new cells, RELAY_DNS_BEGIN and RELAY_DNS_RESPONSE (we'll use DNS_BEGIN and DNS_RESPONSE for short below).
DNS_BEGIN payload:
DNS packet data (variable length)The DNS packet must be generated internally by libunbound to avoid fingerprinting users by differences in client resolvers' behavior.
DNS_RESPONSE payload:
total length (2 octets) data (variable)Data contains the reply DNS packet or its part if packet would not fit into the cell. Total length describes length of complete response packet, thus one DNS_BEGIN may be answered by multiple DNS_RESPONSE cells.
DNS_BEGIN must use a non-zero, distinct StreamID, corresponding DNS_RESPONSE will use the same StreamID. Similarly to RELAY_RESOLVE(D), no actual stream is created.
AXFR and IXRF are not supported in this cell by design (see specialized tool below).
- Interfaces to applications
DNSPort evdns - existing implementation will be updated to use DNS_BEGIN.
- Limitations on DNS query
Query class is limited to IN (INTERNET) since the only other useful class CHAOS is practical for directly querying authoritative servers (OR in this case acts as a recursive resolver). Query for class other than IN will return REFUSED in the inner DNS packet.
Multiple questions in a single packet are not supported and OR will respond with REFUSED as the DNS error code.
All query RR types are allowed.
[XXXX I originally thought about some exit policy like "basic RR types" and "all RRs", but managing such list in deployed nodes with extra directory flags outweighs the benefit. Maybe disallow ANY RR type? ]
Client as well as OR MUST block attempts to resolve local RFC 1918, 4193, 4291 adresses (PTR). REFUSED will be returned as DNS error code from OR.
Request for special names (.onion, .exit, .noconnect) will return REFUSED.
- Implementation notes
Client will periodically purge incomplete DNS replies. Any unexpected DNS_RESPONSE will be dropped.
AD flag must be zeroed out on client unless validation is performed.
[XXXX libunbound lowlevel API, Tor+libunbound libevent loop
libunbound doesn't publicly expose all the necessary parts of low-level API. It can return the received DNS packet, but not let you construct a packet and get it in wire-format, for example.
Options I see:
a) patch libunbound to be able feed wire-format DNS packets and add API to obtain constructed packets instead of sending over network
b) replace bufferevents for sockets in unbound with something like libevent's paired bufferevents. This means that data extracted from DNS_RESPONSE/DNS_BEGIN cells would be fed directly to some evbuffers that would be picked up by libunbound. It could possibly result in avoiding background thread of libunbound's ub_resolve_async running separate libevent loop.
c) bind to some arbitrary local address like 127.1.2.3:53 and use it as forwarder for libunbound. The code there would pack/unpack the DNS packets from/to libunbound into DNS_BEGIN/DNS_RESPONSE cells. It wouldn't require modification of libunbound code, but it's not pretty either. Also the bind port must be 53 which usually requires superuser privileges.
Code of libunbound is fairly complex for me to see outright what would the best approach be. ]
- Separate tool for AXFR
The AXFR tool will have similar interface like tor-resolve, but will return raw DNS data.
Parameters are: query domain, server IP of authoritative DNS.
The tool will transfer the data through "ordinary" tunnel using RELAY_BEGIN and related cells.
This design decision serves two goals:
- DNS_BEGIN and DNS_RESPONSE will be simpler to implement (lower chance of bugs)
- in practice it's often useful do AXFR queries on secondary authoritative DNS servers
IXFR will not be supported (infrequent corner case, can be done by manual tunnel creation over Tor if truly necessary).
- Security implications
Transaction ID is provided randomly by libunbound, no need to modify.
As proposal 171 mentions, we need mitigate circuit correlation. One solution would be keeping multiple streams to multiple exit nodes and picking one at random for DNS resolution. Other would be keeping DNS-resolving circuit open only for a short time (e.g. 1-2 minutes). Randomly changing the circuits however means that it would probably incur additional latency since there would likely be a few cache misses on the newly selected exits.
- TTL normalization idea
A bit complex on implementation, because it requires parsing DNS packets at exit node.
TTL in reply DNS packet MUST be normalized at exit node so that client won't learn what other clients queried. The normalization is done in following way:
- for a RR, the original TTL value received from authoritative DNS server should be used when sending DNS_RESPONSE, trimming the values to interval [5, 600]
- does not pose "ghost-cache-attack", since once RR is flushed from libunbound's cache, it must be fetched anew
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
On 08/20/2012 02:43 AM, Mike Perry wrote:
Thus spake Ondrej Mikle (ondrej.mikle@gmail.com):
I've revised the DNS draft, attaching it. In section 4 there are some options for integration with libunbound, but each of them requires some work with the stock libunbound code.
I'm not a DNS expert, but I have a couple preliminary requests/questions.
First, can you provide a section in the proposal on the analysis of the number of round trips over Tor for different request scenarios? If you offload full DNS responsibility to the client, certain query behaviors are going to be better than others with respect to the number of round trips over Tor. We're going to want to minimize these round trips, especially if we decide we want to rely on DNSsec/DANE for everything. Clients may also want to use this information to try to intelligently decide cases where we don't want to do full DNSsec queries and revert to the oldstyle SOCKS4A.
Added section 8 to the draft with a "common" and "extreme" example. Validation still would be done at both exit and client: client can't trust the AD bit from exit and exit must implement own recursive resolver via libunbound as ISP's resolvers often won't work with DNSSEC, the problem is usually in fetching DS records.
Second (and related), is it totally insane to map some sort of magic IP to "foward this query the local exit node resolver" so that the client can easily get DNS(sec) perspectives from each exit node's resolver caches? This might both minimize round trips for clients who don't want to either hardcode 8.8.8.8 or do full recursive resolves against the root servers. On the other hand, it might complicate query handling on the exit side and also introduce weird cache/poisoning attacks?
It's actually quite interesting idea, though not sure how to map a local 127.0.0./8 IP to a specific exit. If the exit changes inbetween queries (new circuit), should the client know somehow?
I also thought about "most lightweight" implementation which would just use ldns library on the exit's side - client would employ the "magic IP" as forwarder for local standalone unbound daemon. But it breaks on the inability of ISPs' resolvers to fetch DS records mentioned above.
For the perspective it should be noted that many CDNs and load balancers use short TTLs in the range 5-30, two subsequent queries may return different results.
Ondrej
If an Unbound type of DNSSEC/validating resolver exist on end-user's (tor proxy user's) computer, then, it can be configured to prevent accidental dns leaks from any apps on that computer, by using unbound configuration command-lines like: local-zone: "onion." refuse local-zone: "exit." refuse local-zone: "noconnect." refuse so having an unbound on tor proxy user's side, has some benefit.
Unbound can have configuration commandline, like this: outgoing-interface: 192.168.0.10 The Network interface Adapater which is connected to Internet, should be configured to have a fixed ip, like 192.168.0.10, and that needs to be specified on outgoing-interface, so that Unbound can send queries thru such outgoing-interface. Normally at least those who uses computer for both Anonymity and Private purpose they can use fix net-adapter ip. Unbound usually uses different set of ports from that outgoing-interface IP address, to connect with different DNS server's DNS port. Unbound has option to use 1 outgoing port (from that outgoing-interface), but that will open it up for some other vulnerabilities. Unbound also has option to use a range of ports from that outgoing interface. So if tor can have a Transparent Listenning IP address (without any fixed/single port), then in Unbound, tor's transparent ip can be specified as outgoing. And that should work fine, for those who uses the VM or the computer only for Anonymity purpose. But i have failed to find such an option in Tor. If a transparent listenning ip address (able to listen on all ports) is too hard to code, or does not exist currently, then at least this feature should be added in tor, which at least be able to listen on a range of ports (if not the entire ports 1~65535), then that range can be pre-specified in Unbound. For example, this configuration command-line will use a range of 4096 ports only: outgoing-port-permit: 52000-56096 And if few ports in it are needed to be avoid, if used by other server programs or so in that computer, then something similar can be added in Unbound: outgoing-port-avoid: "52010,52011"
If an unbound configuration is using only one forward-zone command (for root zone, which is forward-zone: name: "." Then, 1 port based transparent proxy is useful. but, most unbound configuration needs more than one: forward-zone: name: "domain/TLD" forward-addr:/forward-host: stub-zone: name: "domain/TLD" stub-addr:/stub-host: In a multi stub/forwarding case, listenning to the entire port range or certain portion of entire port range from the outgoing interface ip address is needed.
In above cases a tor proxy user who is using properly configured unbound, does not need to use tor exit node's dns resolver. first-time accessing a site will have some delay, once its in the cache (on unbound on tor proxy user's computer) from 2nd query and so on it will be very fast, as no need to goto the exit-node for the answer.
If tor exit node has a recursive DNSSEC supported resolver, and if that can be used by the tor proxy user's unbound, then that will speed up dns res as well.
But if, tor proxy user does not have unbound, (which is many user's case), and using tor-exit-node's dnssec supported resolver for the local apps, then each/every query will get answer from exit-node's dns cache, will need to travel thru two/three middle-nodes, twice, once for asking, once for receiving answer, so it will be slower than other two scenario. To counter it, tor itself should also contain a dns cache that supports DNSSEC, acting as validating stub resolver for the local apps which will need use DNSSEC queries.
Google Public DNS, permanently stores user's certain information. There are other DNSSEC supported validating recursive dns servers/resolvers which respects Anonymity and Privacy.
-- Bry8Star. Sep 16, 2012. 03-30pm. utc.
On 8/22/2012 8:44 AM, Ondrej Mikle wrote:
On 08/20/2012 02:43 AM, Mike Perry wrote:
Thus spake Ondrej Mikle (ondrej.mikle@gmail.com):
I've revised the DNS draft, attaching it. In section 4 there are some options for integration with libunbound, but each of them requires some work with the stock libunbound code.
I'm not a DNS expert, but I have a couple preliminary requests/questions.
First, can you provide a section in the proposal on the analysis of the number of round trips over Tor for different request scenarios? If you offload full DNS responsibility to the client, certain query behaviors are going to be better than others with respect to the number of round trips over Tor. We're going to want to minimize these round trips, especially if we decide we want to rely on DNSsec/DANE for everything. Clients may also want to use this information to try to intelligently decide cases where we don't want to do full DNSsec queries and revert to the oldstyle SOCKS4A.
Added section 8 to the draft with a "common" and "extreme" example. Validation still would be done at both exit and client: client can't trust the AD bit from exit and exit must implement own recursive resolver via libunbound as ISP's resolvers often won't work with DNSSEC, the problem is usually in fetching DS records.
Second (and related), is it totally insane to map some sort of magic IP to "foward this query the local exit node resolver" so that the client can easily get DNS(sec) perspectives from each exit node's resolver caches? This might both minimize round trips for clients who don't want to either hardcode 8.8.8.8 or do full recursive resolves against the root servers. On the other hand, it might complicate query handling on the exit side and also introduce weird cache/poisoning attacks?
It's actually quite interesting idea, though not sure how to map a local 127.0.0./8 IP to a specific exit. If the exit changes inbetween queries (new circuit), should the client know somehow?
I also thought about "most lightweight" implementation which would just use ldns library on the exit's side - client would employ the "magic IP" as forwarder for local standalone unbound daemon. But it breaks on the inability of ISPs' resolvers to fetch DS records mentioned above.
For the perspective it should be noted that many CDNs and load balancers use short TTLs in the range 5-30, two subsequent queries may return different results.
Ondrej
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
-
Bry8 Star -
Mike Perry -
Ondrej Mikle