I wonder if these are all half-measures, and Tor needs a first-class solution to the DNS weakness.
Every Tor relay can have a simple resolver built-in, and/or perhaps all Tor relays could be running a DHT-style global DNS cache. In case of a cache miss, the exit relay could build a circuit to another relay and ask it to query core DNS servers on its behalf.
Alternatively, the Tor community could run our own DNS servers, and every exit node would use those by default.
...I have seen some papers discussing DNS-assisted traffic correlation attacks, but I still don't know how serious that threat is. I am basically not sure if DNS is a high-priority vulnerability right now, or just a distraction.
-----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of Ralph Seichter Sent: Tuesday, September 12, 2017 1:25 PM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] HOW-TO: Simple DNS resolver for tor exit operators
On 12.09.17 22:11, jpmvtd261@laposte.net wrote:
My idea is designed to protect the exit node against a DNS attack from the owner of the DNS server. Not from the ISP or an attacker monitoring the traffic going in and out of the ISP data center.
I'm not certain what you consider a "DNS attack".
Many exit node operators run a caching DNS resolver on their exits, which is easily done. Lacking that, you can use the resolvers run by your ISP, who can monitor all outbound traffic anyway, as I mentioned.
-Ralph _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays