[tor-bugs] #7570 [Tor]: Disable client-side DNS cacheing by default

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Dec 17 07:05:23 UTC 2012 

#7570: Disable client-side DNS cacheing by default
------------------------------------+---------------------------------------
 Reporter:  nickm                   |          Owner:                    
     Type:  enhancement             |         Status:  needs_review      
 Priority:  major                   |      Milestone:  Tor: 0.2.4.x-final
Component:  Tor                     |        Version:                    
 Keywords:  tor-client dns prop205  |         Parent:                    
   Points:                          |   Actualpoints:                    
------------------------------------+---------------------------------------

Comment(by nickm):

 Replying to [comment:3 andrea]:
 > This code all looks fine to me; go ahead and merge if you want.  I'm not
 sure I entirely understand why this linkability problem becomes worse with
 IPv6, though, so for my own enlightenment it'd be nice to hear about it at
 some point.

 The issue was that with IPv4, it takes effort and resources to mount the
 "give everyone a different answer" attack: if you want to transparently
 divide (say) www.zombo.com users into N classes, you'd need N IPs, and
 you'd need to make every one of them give a reasonable facsimile of
 www.zombo.com when accessed from a wide variety of exit nodes. Big ISPs
 and MIT dorm residents and others who can grab ridiculous numbers of IP
 addresses could do this without too much trouble (until they get caught),
 but for other folks, you'd need to pay botnet rates for your addresses
 and/or find a clever algorithm to minimize the number of classes you're
 dividing users into.

 But with IPv6, everybody basically gets as many addresses as they want,
 and it's easy to have them all route to the same interface. The "give
 everybody a different answer" attack is no longer (somewhat) costly: it's
 basically free to get a /64 or a /80 and have it all route to you.

 > Two tiny nitpicks:
 >
 >  * make check-spaces says 'UnnecNL:src/or/relay.c:760'

 fixed in branch

 >  * The sentence "It's potentially risky to use cached DNS answers at the
 client can be risky for linkability, since doing so can indicate to one
 exit what answers we've gotten for DNS lookups in the past." in the
 changes file in commit 765606406b26d573242e1a1d759511751b279b21 should be
 taken out, shot and replaced with something that conforms with English
 grammar, or at least the Newspeak Dictionary, 9th Edition. :)

 nickm nickm sad nickm english sad kitten banana!

 (fixed in branch)

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7570#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list