[tor-dev] Tor and DNS

Ondrej Mikle ondrej.mikle at gmail.com
Sun Feb 26 19:05:00 UTC 2012 

Hi,

I've updated the Tor DNS/DNSSEC draft from what was said in this thread. Short
summary of changes:

- drop IDs (use StreamID), drop length from DNS_RESPONSE, keep just uint16_t
total_length
- separate tool for AXFR so that server can be specified
- validation always on client side by default
- full DNS packets sent in DNS_BEGIN (generated by libunbound)

Other changes (mostly minor):

- IXFR not supported (rare corner case)
- "common" DNS policy - if updates between Tor versions change this "allowed
set" (e.g. new RR type), exit node with old Tor version simply returns REFUSED
- specified the algorithm of TTL normalization

Link to full text (diff is pasted at the end of this mail):

https://github.com/hiviah/torspec/blob/master/proposals/ideas/xxx-dns-dnssec.txt

Ondrej


Diff:

diff --git a/proposals/ideas/xxx-dns-dnssec.txt b/proposals/ideas/xxx-dns-dnssec.txt
index 865e06d..ea711ce 100644
--- a/proposals/ideas/xxx-dns-dnssec.txt
+++ b/proposals/ideas/xxx-dns-dnssec.txt
@@ -33,26 +33,22 @@ Status: Draft

   DNS_BEGIN payload:

-    RR type  (2 octets)
-    RR class (2 octets)
-    ID       (2 octets)
-    length   (1 octet)
-    query    (variable)
+    DNS packet data (variable length)

-  The RR type and class match counterparts in DNS packet. ID is for
-  identifying which data belong together, since response can be longer than
-  single cell's payload. The ID MUST be random and MUST NOT be copied from
-  xid of request DNS packet (in case of using DNSPort).
+  The DNS packet must be generated internally by libunbound to avoid
+  fingerprinting users by differences in client resolvers' behavior.

   DNS_RESPONSE payload:

     ID           (2 octets)
-    data length  (2 octets)
-    total length (4 octets)
+    total length (2 octets)
     data         (variable)

-  Data contains the reply DNS packet. Total length describes length of
-  complete response packet.
+  Data contains the reply DNS packet or its part if packet would not fit into
+  the cell. Total length describes length of complete response packet.
+
+  AXFR and IXRF are not supported in this cell by design (see specialized tool
+  below).

 2. Interfaces to applications

@@ -80,11 +76,9 @@ Status: Draft
   for asking authoritative servers.

   For client side, full validation would be optional described by option
-  DNSValidation (0|1). (TODO: what is a sensible default? Validation is not
-  much useful in A/AAAA case, but for instance SRV, TXT and TLSA are a
-  different case. Only reason for turning validation off is a faster
-  round-trip. We can also leave it to validating resolver that uses DNSPort as
-  forwarder.)
+  DNSValidation (0|1). By default validation is turned on, otherwise it would
+  be easy to fingerprint people who turned it on and asked for not-so-common
+  records like SRV.

 4. Changes to directory flags

@@ -93,9 +87,12 @@ Status: Draft
    - CommonDNS - reflects "common" DNSQueryPolicy
    - FullDNS - reflects "full" DNSQueryPolicy

-  (TODO: how do we handle adding new RR types to "common" as they are created?
-  One option would be to create CommonDNS_1 ... CommonDNS_N such that
-  CommonDNS_{N-1} is subset of CommonDNS_N.)
+  Exit node asked for a RR type not in CommonDNS policy will return REFUSED in
+  as status in the reply DNS packet contained in DNS_RESPONSE cell.
+
+  If new types are added to CommonDNS set (e.g. new RFC adds a record type)
+  and exit node's Tor version does not recognize it as allowed, it will send
+  REFUSED as well.

 5. Implementation notes

@@ -105,8 +102,7 @@ Status: Draft
   Client will periodically purge incomplete DNS replies. Any unexpected
   DNS_RESPONSE will be dropped.

-  Request for special names (.onion, .exit, .noconnect) will return SERVFAIL
-  (for NXDOMAIN we'd have to implement NSEC/NSEC3).
+  Request for special names (.onion, .exit, .noconnect) will return REFUSED.

   RELAY_BEGIN would function "normally", there is no need for returning DNS
   data. In case of malicious exit, client can't check he's really connected to
@@ -116,21 +112,52 @@ Status: Draft

   AD flag must be zeroed out on client unless validation is performed.

-6. Security implications
+6. Separate tool for AXFR

-  Client as well as exit MUST block attempts to resolve local RFC 1918, 4193,
-  4291 adresses (PTR) or local names (e.g. "*.local") in order not to leak
-  unnecessary information about home network. (TODO: TLD whitelist instead of
-  filtering "*.local" names? That would require exit node to periodically
-  update list from ICANN.)
+  The AXFR tool will have similar interface like tor-resolve, but will
+  return raw DNS data.
+
+  Parameters are: query domain, server IP of authoritative DNS.

-  An exit resolving names SHOULD use libunbound for all types of resolving so
-  that an attacker eavesdropping will have it harder to distinguish which
-  names were queried by connect command and which using the DNS subsystem
-  (TODO: will this really help, since attacker can guess from RR type and
-  whether or not a TCP connection follows?)
+  The tool will transfer the data through "ordinary" tunnel using RELAY_BEGIN
+  and related cells.
+
+  This design decision serves two goals:
+
+  - DNS_BEGIN and DNS_RESPONSE will be simpler to implement (lower chance of
+    bugs)
+  - in practice it's often useful do AXFR queries on secondary authoritative
+    DNS servers
+
+  IXFR will not be supported (infrequent corner case, can be done by manual
+  tunnel creation over Tor if truly necessary).
+
+7. Security implications
+
+  Client as well as exit MUST block attempts to resolve local RFC 1918, 4193,
+  4291 adresses (PTR).

-  TTL in reply DNS packet MUST be somehow normalized at exit node so that
-  client won't learn what other clients queried. Transaction ID is provided
-  randomly by libunbound, no need to modify. This affects only DNSPort and
+  An exit node resolving names will use libunbound for all types of resolving,
+  including lookup of A/AAAA records when connecting stream to desired
+  server. Ordinary streams will gain a small benefit of defense against DNS
+  cache poisoning on exit node's network.
+
+  Transaction ID is provided randomly by libunbound, no
+  need to modify. This affects only DNSPort and
   SOCKS interfaces.
+
+8. TTL normalization idea
+
+  Complex on implementation, because it requires parsing DNS packets at exit
+  node.
+
+  TTL in reply DNS packet MUST be normalized at exit node so that client won't
+  learn what other clients queried. The normalization is done in following
+  way:
+
+  - for a RR, the original TTL value received from authoritative DNS server
+    should be used when sending DNS_RESPONSE, trimming the values to interval
+    [5, 600]
+  - does not pose "ghost-cache-attack", since once RR is flushed from
+    libunbound's cache, it must be fetched anew
+

More information about the tor-dev mailing list