[tor-dev] Tor and DNS

Nick Mathewson nickm at alum.mit.edu
Thu Jan 19 22:13:19 UTC 2012

On Thu, Jan 19, 2012 at 7:39 AM, Linus Nordberg <linus at nordberg.se> wrote:
> Hi,
> After some interesting discussions irl last week with knowledgeable DNS
> and security people (hi Jakob) I'd like to hear from people involved
> with DNS in Tor what current status is and what needs to be done.
> More specifically, what's the status of ttdnsd and TorDNSd?  Are they
> being used?  Any thoughts about having a local validating resolver?
> I know there's been some discussions (4zm, are you here?) about using
> libunbound (which could be interesting for DNSSEC support).  Did that
> evolve into anything useful?
> I'm by no means a DNS expert but would love to see some discussion about
> this, partly because future IPv6 work will depend on changes to our DNS
> system.

Hi, Linus!

So, I think that what we actually need from a proper way to do DNS
over Tor is a way for the Tor client to make real DNS requests to get
handled by an exit node's DNS server or servers.  Right now, we don't
have that; we have a pile of half-measures instead.

Specifically, here's Tor's DNS support now:
   * when the client uses a BEGIN relay cell to open a new stream, the
exit node does a lookup on the requested hostname at its nameservers,
connects there, and tells the client what the IP was.  No info about
the lookup other than the IPv4 address is returned.
  * A client can use a RESOLVE relay cell to do an A lookup, an AAAA
lookup (not supported iirc), or a PTR lookup at the exit node's
nameservers.  But they don't get back the full answer; they only get
back the IP address or hostname.

Originally, we limited the DNS functionality that the exit node would
expose for you because we were worried about what kind of shennanegans
somebody could do with an arbitrarily crafted DNS request, and so we
restricted ourselves to a minimalist subset.  (This was back when Dan
Kaminski's favorite hobby was finding unexpected applications of DNS,
like streaming video and whatnot.)

But I think the right design is probably something like allowing
clients to request more DNS info via exit nodes' nameservers, and get
more info back. We should think of ways to do this that avoid extra
round trips, but that should be doable.

At the most extreme, this could just give clients the ability to
generate arbitrary DNS requests and get the entire response back.  If
that seems worrisome, we could limit the form of the requests to a
reasonable subset, prevent various "christmas-tree" requests, and so
on.  I don't personally understand the security issues here too well,
but I know they exist.

As an aside, DNSSEC for hostname lookup only helps so much here: If I
know for certain that www.example.com is, that doesn't really
help me if I can't know whether I'm really talking to  But
there are DNSSEC uses, such as TLS certificate stapling, that would
still be reasonable to do over Tor.


More information about the tor-dev mailing list