Ralph, you seem to be more concerned with minimizing the number of hosts involved in a DNS lookup, and you (correctly) believe that running a recursive resolver yourself, as opposed to delegating it, decreases that number. If a DNS provider like Hurrican Electric is your main concern, then I think we are in agreement.
I assume, however, that most of these ISPs have no technical capability or business incentives to be engaged in Tor traffic correlation. When it comes to Tor traffic correlation, I am more concerned with defending Tor users against the already-known attackers.
According to the leaked documents, there is a large, but not global, passive adversary confirmed to intercepting and analyzing IP traffic between targeted hosts, without the capacity to control all network links, and without the legal authority to hack the hosts themselves. I am making an assumption that Tor relays sending DNS requests to a large and diverse number of destinations can make practical DNS-assisted traffic correlation prohibitively expensive.
On Sun, Oct 8, 2017 at 12:03 PM, Ralph Seichter m16+tor@monksofcool.net wrote:
On 08.10.17 20:48, Igor Mitrofanov wrote:
Unbound's upstream requests can be intercepted and used in traffic correlation just like any other.
I thought I expressed myself clearly enough, but I'll try one more time. Unbound, or any other resolver, can either a) perform the recursive lookup or b) delegate the lookup. Case a) is preferable in regards to profiling because it does not involve additional third-party servers that have nothing to do with the query. Case b) involves third-party servers, so it offers more points where traffic can be analysed. Looking up host.somedomain.tld should, if no cached data is available, only involve one of the root zone servers, one server for the tld zone, and one server for the somedomain zone. It should not involve a resolver run by Google or other parties that have no business in knowing that my Tor node just looked up host.somedomain.tld.
Yes, Unbound follows the recursive protocol and works with the hierarchy from the root DNS servers down, but your ISP can still observe your entire DNS activity.
I have explicitly stated "If the ISP hosting the Tor node has resolvers for their customers, these can be used as well, *since the ISP sees all outgoing traffic anyway*". Are you deliberately trying to misunderstand me?
-Ralph _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays