[tor-dev] Proposal 205: Remove global client-side DNS caching
Tim Wilde
twilde at gmail.com
Mon Nov 26 01:43:10 UTC 2012
On Sun, Nov 25, 2012 at 7:54 PM, Nick Mathewson <nickm at freehaven.net> wrote:
> [tl;dr: We should make client-side DNS cacheing off by default.]
>
Nitpickery: s/cacheing/caching/g
> Applications that care about speed should be doing a one-round-trip
> connect mechanism: either a SOCKS request with a hostname in it, or a
> TransPort request to an automapped address. If client-side DNS
> cacheing is disabled, these behaviors result in Tor sending the exit
> node a RELAY_BEGIN cell with a hostname in it. If the exit node is
> has received a request for that hostname recently, it will have the
> answer in its DNS cache, and the use of the hostname won't slow the
> request down. If the exit node has _not_ received a request for that
> hostname recently, there will be no answer in its cache... but neither
> would there be any answer in a per-circuit DNS cache for a circuit to
> that exit.
>
> Applications that do a two-step "resolve then connect" approach will
> be a little slowed down in cases where Tor would have kept the answer
> in the client cache. But they would already be slowed down somewhat
> by proposal 205, which can't be avoided if we want proposal 205's
> improved security. See note on automapping below for a workaround.
>
> (And if you're asking, "Why would I even want to disable client-side
> DNS cacheing?", see proposal 205, linked above.)
>
FWIW this makes sense to me from a DNS point of view, and I agree that the
one-trip case should be no worse under this proposal than it was previously.
> Incidentally, elsewhere in the proposal I said,
>
> > If the application is doing its own DNS caching, they won't get
> > much security benefit from here.
>
> It looks like a bunch of applications *do* DNS cacheing. For them, in
> 0.2.4, I'd suggest maybe running Tor in a configuration where every
> name lookup gets automapped to a random IPv6 address. That kind of
> automapping should be possible in Tor 0.2.4 , if the changes in ticket
> #7571 are right and get merged.
>
Alas, yes, and browsers (I'm looking at you, Firefox) are some of the worst
offenders (though hopefully not in the "normal" Tor case of SOCKS). I have
issued many curses towards applications doing their own caching (often
ignoring TTLs too, of course). The automapping in question seems sane to
me.
Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20121125/678f6919/attachment.html>
More information about the tor-dev
mailing list