[tor-dev] DNSSEC

Mike Cardwell tor at lists.grepular.com
Mon Sep 1 18:54:11 UTC 2014 

* on the Mon, Sep 01, 2014 at 10:56:30AM -0700, merc1984 at f-m.fm wrote:

> Lol, first of all Copernicus, I have made no posts in that stackexchange
> thread.  I do have the same concern though, as it is legitimate. 
> Second, I believe all the answers there are wrong because an exit node
> could not resolve .onion addresses by the time a query gets there.
>
> I suspect that TOR DNS is TCP, and that relays can also resolve.  But
> then, so far it seems that no one actually knows.

The exit nodes do the DNS requests. The client doesn't see an IP address.
It connects to the Tor SOCKS interface and says, "connect me to hostname
example.com on port N". It doesn't look up the IP address of "example.com"
and *then* connect to it. Hidden services don't have IP addresses and
DNS resolution isn't involved in routing connections to them.

There is an exception to this. You *can* use the DNSPort option in your
torrc and then your Tor client will expose a DNS server interface on a
local UDP port of your choice. Your DNS requests which are sent to this
interface are then forwarded over Tor to the Exit node which then looks
them up on your behalf. It only works for A, AAAA and PTR records at the
moment IIRC.

The vast majority of Tor users will not make any DNS requests over the
Tor network. If you don't understand this, read up on how SOCKS works.

> To those whose skirts I've blown up about DNSSEC, you must not
> understand that what we have now is very susceptible to DNS Cache
> Poisoning.

I am a fan of DNSSEC and use it on my own domains. However, it wouldn't
help on Tor as much as you think it would:

If you're visiting a non-SSL website, the web traffic can still be
viewed and modified by a malicious exit node regardless of if DNSSEC is
in use, so DNSSEC doesn't gain us anything here...

And if you're visiting an SSL secured website, a malicious exit node
can't view/modify your traffic without triggering certificate alerts
anyway regardless of the existence of DNSSEC.

And on top of this, they can route your traffic to whatever IP they
want. So even if you get a DNSSEC signed response telling you to
connect to IP address "a.b.c.d", they can still re-route your attempt
to connect to "a.b.c.d" to whatever IP they want.

> This is a serious problem.  And if you don't take this
> seriously, either you clearly do not understand the problem, or you are
> not telling us why it is not a problem.

Which problems will DNSSEC solve for Tor users?

> IDC if the solution is DNSSEC, DNSCurve, or Waltzing with DNS, but I say
> this is a serious problem that must be addressed.

DNSSEC and DNSCurve are completely different solutions for completely
different problems and can be used independently or at the same time.

I don't think you've effectively said what the problem which you
want addressing actually is.

-- 
Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140901/b397375c/attachment.sig>

More information about the tor-dev mailing list