#20925: Tor should handle DNSSec RR types (DS, DNSKEY, DLV, etc.) as well as MX
--------------------------------------+-----------------
Reporter: paulj | Owner:
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: - Select a component | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
--------------------------------------+-----------------
I use a Tor client as a DNS resolver, to hide my DNS traffic generally.
Even for traffic that does not go over Tor. With the intention that with
services that multiplex/aggregate traffic for different domains to some
service provider over a secure channel, that the target domain is not
exposed to middle-men by DNS.
The idea is to frustrate passive data-collection efforts (as is now a
legal requirement on ISPs and mobile telcos in a number of countries) as
much as possible, even when not using Tor for my other data-traffic.
E.g., for email to domains hosted with some service provider (e.g. Google,
or register.com, or whatever), and delivered by SMTP over SSL, or by MSA
to a smart-host, if DNS is not obfuscated/onion-routed, then a middle man
can tell who I am emailing even if the email itself is delivered securely
over a channel that serves many many domains. As at least some countries
in Europe now require ISPs to log all customer DNS queries, this matters.
As another example, for HTTPS+SNI and for web sites that are hosted on
large, generic content providers (e.g. CDNs), a 3rd party data-collector
can not tell which website I am visiting. They only (passively) can tell I
am connecting to a CDN. At least, this is true if the DNS is obfuscated
via onion-routing.
I have a caching, recursive nameserver (BIND) configured as my primary
nameserver. I have Tor client acting as DNS server on port 5353. I have
BIND configured to forward queries to the Tor DNS on 5353.
Unfortunately:
1. For the SMTP example, Tor does not implement MX, it seems. So when BIND
gets "NotImp" from Tor, BIND fetches the MX directly itself - so at least
my email gets delivered. However, it means the MX query is visible at my
ISP and logged.
2. For the HTTPS/SNI example, Tor does support A and AAAA records, however
it does not support DNSSec related records (DS, DNSKEY, DLV are some I've
seen NotIMP returned for, NSEC,NSEC3,RRSIG, etc probably would also be
required). My BIND server is configured to make DLV-lookaside DNSSec
checks, and so the DNSSec/lookaside related DNS traffic still leaks the
target domains to my ISP.
It would be nice if Tor DNS client could support more types. This would
allow Tor to be used to onion-route all DNS client traffic, even when
other data-traffic is not being onion-routed. This would reduce the
information-leak footprint of clients to their ISPs, which would reduce
the browsing data logged on them - routinely in a number of European
countries (esp. UK).
This would therefore allow Tor to be used to enhance people's privacy,
even when Tor was not being used for the data traffic itself.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20925>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online