[tor-dev] DNSSEC

merc1984 at f-m.fm merc1984 at f-m.fm
Mon Sep 1 16:02:21 UTC 2014


I am surprised to find that there is no form of DNSSEC associated with
TOR.  I am running dnscrypt, but find that I fail the DNSSEC test at
http://dnssec.vs.uni-due.de/ when using the TBB.  I have unbound chained
to dnscrypt which is on a rotary to 5 trusted DNS resolvers.

How can you not understand what this means WRT DNS cache poisoning?  Why
are we susceptible to DNS cache poisoning?  I suppose that the TOR
system needs to resolve .onion addresses, but there should be some way
of using dnssec locally if the TOR system cannot provide authenticated
DNS.

No one in the #tor irc channel seems to know how TOR DNS is done, and
unfortunately there's not a word about it at
https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver .  But I
suspect it must be TCP DNS as TOR can't do UDP.  And I suspect DNS must
be done by relay servers, in order to resolve intermediate .onion
addresses.  Beyond that, it's a mystery how it's done.

How to secure TOR DNS?

-- 
http://www.fastmail.fm - mmm... Fastmail...



More information about the tor-dev mailing list