[tor-bugs] #19769 [Core Tor/Tor]: Round down DNS TTL to the nearest DEFAULT_DNS_TTL (30 minutes)

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 28 02:35:33 UTC 2016


#19769: Round down DNS TTL to the nearest DEFAULT_DNS_TTL (30 minutes)
------------------------------+--------------------------
     Reporter:  teor          |      Owner:
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:  Tor: 0.2.???
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:  029-proposed
Actual Points:                |  Parent ID:
       Points:  0.5           |   Reviewer:
      Sponsor:                |
------------------------------+--------------------------
 In #19025, we fix a bug that prevented exits sending DNS TTLs to clients
 for IPv4 and IPv6 addresses.

 But we don't want to have too many potential values for these TTLs, to
 avoid tagging attacks.

 So I propose
 * Exits round down (truncate) the TTL received from the DNS server, and
 * Clients round down the TTL received from the Exit,
 to the nearest of:
 * MIN_DNS_TTL (1 minute), or
 * DEFAULT_DNS_TTL (30, 60, 90, 120, 150, 180 minutes)

 MAX_DNS_TTL is 3 hours, so there are only 7 possible values for the TTL.
 I chose to round down because that way, Tor DNS TTLs are only ever shorter
 than the lifetime specified by the DNS server.

 I don't think we need to add noise to the TTL received from either the DNS
 server or Exit. I can't see the value in randomising it, and allowing
 randomisation could hide a tagging attack.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19769>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list