On 12/09/2017 20:25, Ralph Seichter wrote:
I'm not certain what you consider a "DNS attack".
Many exit node operators run a caching DNS resolver on their exits, which is easily done. Lacking that, you can use the resolvers run by your ISP, who can monitor all outbound traffic anyway, as I mentioned.
An attacker can try to find what websites a Tor user has visited, by comparing : - the timing of Tor user home connection traffic and - the timing of DNS queries happening on DNS servers controlled by the attacker
On this webpage, the author talks about "correlation" attack : https://nakedsecurity.sophos.com/2016/10/05/unmasking-tor-users-with-dns/
On 12.09.17 23:00, jpmvtd261@laposte.net wrote:
An attacker can try to find what websites a Tor user has visited, by comparing :
- the timing of Tor user home connection traffic and
- the timing of DNS queries happening on DNS servers controlled by the attacker
I'm aware of that. With a caching resolver running on the exit node, the only "DNS servers controlled by the attacker" would have to be upstream, the ones required to resolve what the Tor client requested in the first place. Your idea of query noise does not mitigate the risk of upstream DNS servers being taken over or monitored by an attacker. I run redundant DNS servers which host all of my domains (which are DNSSEC signed), and caching resolvers on all my Tor nodes. That's tough to mess with.
The problem is that people don't always run their own exit-node based resolvers, but forward to Google's infamous 8.8.8.8 et al. People should at the very least check if their respective ISP runs caching resolvers, which most do to reduce traffic.
-Ralph
tor-relays@lists.torproject.org
-
jpmvtd261@laposte.net -
Ralph Seichter