On 12.09.17 23:00, jpmvtd261@laposte.net wrote:
An attacker can try to find what websites a Tor user has visited, by comparing :
- the timing of Tor user home connection traffic and
- the timing of DNS queries happening on DNS servers controlled by the attacker
I'm aware of that. With a caching resolver running on the exit node, the only "DNS servers controlled by the attacker" would have to be upstream, the ones required to resolve what the Tor client requested in the first place. Your idea of query noise does not mitigate the risk of upstream DNS servers being taken over or monitored by an attacker. I run redundant DNS servers which host all of my domains (which are DNSSEC signed), and caching resolvers on all my Tor nodes. That's tough to mess with.
The problem is that people don't always run their own exit-node based resolvers, but forward to Google's infamous 8.8.8.8 et al. People should at the very least check if their respective ISP runs caching resolvers, which most do to reduce traffic.
-Ralph