[tor-dev] Tor and DNS
christian at grothoff.org
Mon Jan 30 09:09:20 UTC 2012
On 01/30/2012 07:59 AM, Roger Dingledine wrote:
> On Thu, Jan 19, 2012 at 05:13:19PM -0500, Nick Mathewson wrote:
>> But I think the right design is probably something like allowing
>> clients to request more DNS info via exit nodes' nameservers, and get
>> more info back. We should think of ways to do this that avoid extra
>> round trips, but that should be doable.
> So Nick, are you thinking we want a way for exit relays to receive an
> already-formatted dns query inside the Tor protocol, and get it onto
> the network somehow heading towards their configured nameservers? Or
> did you have something else in mind?
> I wonder if we want a begin_dns relay command, sort of like the current
> begin and begin_dir commands, and then just let them talk TCP to one of
> our nameservers? Or is that too much like the previous hacks?
In GNUnet, we simply send the raw DNS payload over the mesh network to
the exit node (in what for you would be a new cell type), the exit node
sends it out via UDP to whatever DNS server the user provided, and the
exit sends the response back to the initiator. So the exit never parses
the DNS request or response at all. From what I've seen so far, 512
byte cells might do just fine >90% of the time, unless of course DNSSEC
somehow takes off. However, GNUnet's message size limit is 64k, so this
is not something I've been studying extensively.
In cases where we need to parse DNS queries (likely outside of Tor's
scope), we have our own library to do so, but even there we never parse
DNS queries that did not originate from our own system.
In summary, I think begin_dns is a good idea, but I'm not sure you need
to then talk TCP to the nameserver -- UDP ought to suffice.
My 2 cents
More information about the tor-dev