[tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)

Sebastian Hahn hahn.seb at web.de
Wed Feb 1 02:31:55 UTC 2012

On Feb 1, 2012, at 2:48 AM, Watson Ladd wrote:
> On Tue, Jan 31, 2012 at 2:57 PM, Nick Mathewson <nickm at alum.mit.edu> wrote:
>> Another possibility is this:
>> Browser's resolver -> Tor Client (as DNSPort): "Resolve
>> www.example.com, give me an A, and give me DNSSec stuff too."
>> Tor Client-> Tor net-> Tor Exit: "Yeah, resolve that stuff."
>> Tor Exit -> Tor net -> Tor client: "Here's your answer."
>> Tor client -> Browser's resolver: "Here's that A record you wanted,
>> and some dnssec stuff."
>> Browser -> Tor client: "Okay, now connect there."
>> Tor client -> Tor net -> Tor exit: "Connect to <ip address>:80!"
>> Exit node -> Tor net-> Tor Client: "CONNECTED: Connection is open."
>> Tor Client -> Browser: "SOCKS5 connection complete."
>> But that would involve an extra round trip that I'd rather save if possible.
> We could cross our fingers and be optimistic, opening a connection to
> the server queried. Probably a bad idea.

I'm not sure, maybe the idea isn't so bad after all. If we wait for the
client to tell us whether it likes the dnssec stuff, I could easily be
convinced that this can be used to fingerprint clients. We have the TLS
false start stuff which is kind of similar, I feel.	Maybe that means for
us to go ahead, make the connection, and if we as a client decide not to
like it we just try again on a new exit node a couple of times?

More information about the tor-dev mailing list