[anti-censorship-team] Development plan sketch for a DNS pluggable transport
David Fifield
david at bamsoftware.com
Thu May 7 06:34:41 UTC 2020
Earlier I posted how to use Tor through my new DNS tunnel.
https://lists.torproject.org/pipermail/anti-censorship-team/2020-April/000080.html
https://www.bamsoftware.com/software/dnstt/#proxy-tor
Here's a sketch of what development tasks would be needed to turn it
into a proper pluggable transport. I estimate it would be about a GSoC's
worth of work, though it's too late to be a GSoC project this year. It
would be a good project for someone who wants experience with the
mechanics of implementing a pluggable transport, using a circumvention
component that's already working.
- Replace command-line interface with managed goptlib interface.
- Client
ClientTransportPlugin dns exec dns-client
Bridge dns 192.0.2.4:1 FINGERPRINT domain=t.example.com doh=https://dns.example/dns-query pubkey=0000111122223333444455556666777788889999aaaabbbbccccddddeeeeffff
- Server
ServerTransportOptions dns mtu=1232
ServerTransportPlugin dns exec ./dns-server
- Make the server generate a keypair on first run, store it in pt_state
like obfs4proxy.
- Add uTLS to the client to disguise TLS fingerprint.
- Add ExtOrPort support to the server.
- For USERADDR, choose a distinguished placeholder client address. See
the last paragraph of
https://lists.torproject.org/pipermail/metrics-team/2020-March/001142.html
- Bonus: Enhance the bridge configuration panel to enable configuring
the resolver without kludges like "meek-google" and "meek-amazon".
- Or ship with a list of resolvers and choose one at random.
I don't know whether a DNS transport is deployable by default like other
transports, but it could be a good thing to have in reserve.
More information about the anti-censorship-team
mailing list