[tor-bugs] #2575 [Tor Relay]: No DNS means no exiting

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Thu Feb 17 21:33:02 UTC 2011 

#2575: No DNS means no exiting
-----------------------+----------------------------------------------------
 Reporter:  atagar     |          Owner:     
     Type:  defect     |         Status:  new
 Priority:  minor      |      Milestone:     
Component:  Tor Relay  |        Version:     
 Keywords:             |         Parent:     
   Points:             |   Actualpoints:     
-----------------------+----------------------------------------------------

Comment(by rransom):

 Replying to [comment:2 atagar]:
 > > Why should we tie support for DNS requests to support for TCP
 connections to arbitrary hosts on port 53?
 >
 > I had been thinking that by accepting port 53 the relay operator's
 already agreeing to host DNS queries, but on second thought any relay that
 allows connections to the destination we're trying to reach would be
 perfectly fine.

 How does a client know whether a relay allows connections to the
 destination it is trying to reach before the client has resolved the
 destination's hostname?  How does the relay know whether it allows
 connections to a destination before deciding whether to allow a DNS
 request for the destination's hostname?

 What we need are new relay flags: BadDNS and (possibly) DNSExit.  BadDNS
 could someday replace !BadExit for exits that are only bad because their
 DNS resolvers cannot be trusted, and DNSExit could be used to indicate
 that a non-exit relay allows DNS queries.

 We would also need a new `request-flags` relay descriptor line, which a
 relay could use to ask the directory authorities to set or unset certain
 flags on it in the consensus.  In this case, an exit relay whose DNS self-
 tests detect malicious behaviour could put `request-flags +BadDNS` in its
 descriptor (instead of replacing its exit policy with `reject *:*`).  This
 descriptor line would have other uses as well; for example, a relay whose
 operator intends to shut it down in the next week could put `request-flags
 -Stable -Guard` in its descriptor.

 Both of these changes require proposals, and BadDNS and DNSExit require
 some thought regarding backward compatibility (e.g. when to turn off
 adding !BadExit along with BadDNS, and how to turn on client support for
 DNSExit).

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2575#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list