[tor-dev] GSoC: Support all kinds of DNS queries

Jeremy Rand jeremyrand at airmail.cc
Sun Apr 2 03:22:58 UTC 2017

Hash: SHA512

Daniel Achleitner:
> Hi everyone,
> I'm a Software Engineering master's student at TU Wien, Austria, 
> with a recent focus on computer security and privacy issues. I am 
> interested in participating in GSoC 2017, particularily in the
> task to support all kinds of DNS queries via Tor [1].
> I've seen the mailing list discussions of 2012 and read the 
> resulting proposition 219 [2]. What do you think, which parts of
> it (if any) would need to be adapted for DNS in 2017? My current 
> impression is that not much has changed, particularily regarding 
> DNSSEC support and deployment.
> As of now, the proposal looks fairly complete with few questions 
> remaining, the biggest research task being how to utilize 
> libunbound for query/response parsing and construction. 
> Implementing the RELAY DNS cells then seems fairly
> straightforward. Unit/integration tests and some fuzzing would be a
> good idea. The problem of reducing DNSSEC roundtrips
> (serialization) to be investigated in a later phase, I would say.
> Is a separate AXFR tool still something that is desired? I have no
>  experience with zone transfers -- can't the existing tooling just 
> be used over a normal TCP conn through Tor?
> This project idea would make a good match to my thesis in
> progress, for which I am researching and evaluating
> privacy-improving DNS tools in the context of Tor (DNSCrypt,
> DNS-over-TLS) [3], inspired by the awesome paper on DNS correlation
> [4]. For example, I recently built a SOCKS-to-SOCKS translator
> which allows to resolve hostnames using a resolver of choice, e.g.
> using DNSCrypt with TBB.
> Looking forward to hearing your thoughts, concerns and opinions!
> Best regards, Daniel
> IRC handle on OFTC: idealchain

(Thinking out loud.)  It would be interesting to have some kind of
algorithm agility here.  For example, a Tor client could send a
request for a Namecoin domain name, and the exit relay would return a
Namecoin merkle proof in the same way that it would return a DNSSEC
signature if were a DNS doman name.

- -- 
- -Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email: jeremyrandmobile at airmail.cc
Mobile PGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with PGP.
Please don't send me unencrypted messages.
My business email jeremy at veclabs.net is having technical issues at the


More information about the tor-dev mailing list