[tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)

Roger Dingledine arma at mit.edu
Mon Jan 30 06:34:47 UTC 2012

On Thu, Jan 26, 2012 at 10:42:53PM +0100, Ondrej Mikle wrote:
> I decided to give it a shot in implementing full DNS/DNSSEC resolution support
> for Tor, here's the branch:
> https://github.com/hiviah/tor
> ATM the biggest limitation is that reply DNS packet must fit in a single cell
> (i.e. max size is RELAY_PAYLOAD_SIZE).

Hi Ondrej,

Neat stuff! It's always nice to see people show up with patches.

So it looks like Tor would get two new libraries linked in, and exit
relays would inherit whatever security/stability issues libunbound has
since clients can basically hand them packets that they have to parse
and deal with.

How to handle more of the dns protocol has always been a messy design
question for Tor. More people are getting interested in it as we add
more ipv6 support.

The previous hack recommendation had been for the client to use ttdnsd
to run dns queries as normal Tor TCP flows:
which resolves the "what about answers bigger than Tor's cell size"
question, as well as the "are we really sure we want a whole dns server
implementation inside Tor" question, but leaves such niggling issues as
"so do you direct the streams to, or what?" It also has the
advantage that runs a single known version of its nameserver,
rather than a collection of exit relays that each offer whichever version
they linked.

What do you think about the tradeoffs here? I'd like Tor to support more
of dns, but I also think it's important to avoid needing exit relays to
know all the details.


More information about the tor-dev mailing list