Should new exit relays be probed for public DNS resolvers
There has been discussion over the past several years that the Tor network should not use public DNS resolver as it has security implications on the Tor network (https://medium.com/@nusenu/who-controls-tors-dns-traffic-a74a7632e8ca). Should new Tor Exit Relays be probed and not included in the consensus until they're running their own DNS resolver and not relying on a public one?
Hey Nathaniel, What's your threat model here? What would you want to achieve? On Wed, 4 Mar 2020, 17:24 Nathaniel Suchy, <nathanielsuchy@protonmail.com> wrote:
There has been discussion over the past several years that the Tor network should not use public DNS resolver as it has security implications on the Tor network ( https://medium.com/@nusenu/who-controls-tors-dns-traffic-a74a7632e8ca). Should new Tor Exit Relays be probed and not included in the consensus until they're running their own DNS resolver and not relying on a public one? _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
It’s not a threat model issue. It’s more of a let’s make Tor less dependent on a few public resolvers. Running our own resolvers just makes more sense at such a scale. Cordially, Nathaniel Suchy (they/them) Sent from ProtonMail Mobile On Thu, Mar 5, 2020 at 1:59 AM, Alec Muffett <alec.muffett@gmail.com> wrote:
Hey Nathaniel,
What's your threat model here? What would you want to achieve?
On Wed, 4 Mar 2020, 17:24 Nathaniel Suchy, <nathanielsuchy@protonmail.com> wrote:
There has been discussion over the past several years that the Tor network should not use public DNS resolver as it has security implications on the Tor network (https://medium.com/@nusenu/who-controls-tors-dns-traffic-a74a7632e8ca). Should new Tor Exit Relays be probed and not included in the consensus until they're running their own DNS resolver and not relying on a public one? _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi, On 05/03/2020 14:20, Nathaniel Suchy wrote:
It’s not a threat model issue.
Who gets to see Tor users DNS requests is exactly a threat model issue.
It’s more of a let’s make Tor less dependent on a few public resolvers. Running our own resolvers just makes more sense at such a scale.
Availability of DNS lookups to Tor clients is a threat model issue. Thanks, Iain.
On Thu, 5 Mar 2020 at 14:37, Iain Learmonth <irl@torproject.org> wrote:
On 05/03/2020 14:20,Nathaniel Suchy wrote:
It’s not a threat model issue.
Who gets to see Tor users DNS requests is exactly a threat model issue.
Concur. That is exactly the reason that I am asking clarification of Nathaniel's perspective, here. I'm currently doing some research on the area, and am particularly interested in which/all of Nathaniel is concerned by: 1/ blocking of Tor-users' DNS requests 2/ tampering with Tor-user's DNS requests 3/ surveillance of Tor-users' DNS requests 4/ *corporate* surveillance of Tor-users' DNS requests 5/ other... Because if Nathaniel is primarily interested in 3 and 4 from that list, then this is a particularly interesting video to watch (cued up to 0:33 for convenience) https://www.youtube.com/watch?v=FrGZczZ8tyU&t=0m33s ...and which, with a little reflection regarding the "anonymity loves company" philosophy of Tor, suggests that the solution might in part be MORE AND PRIVATE use of "big" resolvers... because the little ones are just as much, perhaps more of a risk. -a -- http://dropsafe.crypticide.com/aboutalecm
From my point of view its much more helpful to run an DoH (or DNSCrypt, DoT if you like) client on an exit and randomly distribute requests to a set of DoH/DNSCrypt/DoT-Servers to hide the actual DNS Requests an exit is doing from an adversary which might use this information for correlation.
As the requests are randomly distributed between a set of servers this additionally fixes the problems of a single entity answering/monitoring all DNS requests. Unfortunately root servers doesn't support encrypted DNS (except of openNIC but I dont think they are not an option for a general recommendation because only 9 servers are currently supporting encryption). BUT: By using for example the list of encrypting dns servers and dnscrypt-proxy the dnscrypt project is offering it would be easy to implement a huge set of relays using a random set of DoH or DNSCrypt enabled dns servers. Regards, flux On 3/5/20 3:45 PM, Alec Muffett wrote:
On Thu, 5 Mar 2020 at 14:37, Iain Learmonth <irl@torproject.org <mailto:irl@torproject.org>> wrote:
On 05/03/2020 14:20,Nathaniel Suchy wrote: > It’s not a threat model issue.
Who gets to see Tor users DNS requests is exactly a threat model issue.
Concur. That is exactly the reason that I am asking clarification of Nathaniel's perspective, here.
I'm currently doing some research on the area, and am particularly interested in which/all of Nathaniel is concerned by:
1/ blocking of Tor-users' DNS requests 2/ tampering with Tor-user's DNS requests 3/ surveillance of Tor-users' DNS requests 4/ *corporate* surveillance of Tor-users' DNS requests 5/ other...
Because if Nathaniel is primarily interested in 3 and 4 from that list, then this is a particularly interesting video to watch (cued up to 0:33 for convenience)
https://www.youtube.com/watch?v=FrGZczZ8tyU&t=0m33s
...and which, with a little reflection regarding the "anonymity loves company" philosophy of Tor, suggests that the solution might in part be MORE AND PRIVATE use of "big" resolvers... because the little ones are just as much, perhaps more of a risk.
-a
-- http://dropsafe.crypticide.com/aboutalecm
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Thu, 5 Mar 2020 at 14:32, Nathaniel Suchy <nathanielsuchy@protonmail.com> wrote:
It’s not a threat model issue. It’s more of a let’s make Tor less dependent on a few public resolvers.
So, you perceive a threat (or: some trait that needs to be mitigated) from large-scale use of a small population of (otherwise highly available) public resolvers. What does that threat (or: similar) look like? -a -- http://dropsafe.crypticide.com/aboutalecm
participants (4)
-
Alec Muffett -
flux -
Iain Learmonth -
Nathaniel Suchy