[tor-dev] Support for full DNS resolution and DNSSEC validation

Fri May 15 15:53:00 UTC 2020

Alexander FÃ¦rÃ¸y:
> I wonder if it would make more sense to have an onion-aware
> DNSSEC-enabled resolver *outside* of the Tor binary and have a way for
> Tor to query an external tool for DNS lookups. Such tool should be
> allowed to use Tor itself for transport of the actual queries. One of
> the best parts of Tor (in my opinion) is the Pluggable Transport
> subsystem. This subsystem allows external developers, researchers, and
> hackers to build new technology that benefits users in censored areas
> *without* having to alter a single line of C code in tor.git.
> 
> Let's say we had a "Pluggable DNS" layer in Tor. Users would be able to
> configure their Tor process to *never* use the built-in DNS subsystem in
> Tor, but instead outsource it to an external process that Tor spawns on
> startup. This process could use .onion's to reach a
> DNS-over-(TLS|HTTPS|TCP) server as onions themselves aren't looked up
> via DNS.
> 
> A "Pluggable DNS" subsystem would be much less code, I believe, and it
> wouldn't require us to have a DNS+DNSSEC implementation in the heart of
> Tor to maintain in the future. Such a system would be similar to the
> proposed design for Name => Onion lookups defined in proposal #279 by
> asn, yawning, and dgoulet.

Hi Alex,

FYI I already wrote a Prop279 provider that looks up the names via DNS
(it's aptly named "dns-prop279"); it does pretty much exactly what you
describe.  It doesn't handle DNSSEC validation itself (it assumes that
you've specified a DNS server that you trust -- most likely one running
on localhost).  Stream isolation can be handled via an EDNS0 field (and
I'm guessing it would not be difficult to patch an existing DNS server
to respect that EDNS0 field).  I wouldn't be surprised if it's easy to
make dns-prop279 do DNSSEC validation itself (and not use a
localhost-based DNS server) if that's desired -- the library it uses
(miekg/dns) does claim to support DNSSEC validation, though I've never
tried testing that feature.

I originally wrote dns-prop279 for Namecoin purposes, but I see no
reason it couldn't be used to achieve DNSSEC support in Tor.  If there's
interest in pursuing this, let me know, I'm happy to contribute.

Code is at https://github.com/namecoin/dns-prop279

Cheers,
-- 
-Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email: jeremyrandmobile at airmail.cc
Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with OpenPGP.
Please don't send me unencrypted messages.
My business email jeremy at veclabs.net is having technical issues at the
moment.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20200515/5efc3306/attachment.sig>