[tor-dev] Support for full DNS resolution and DNSSEC validation
Christian Hofer
chrisss404 at gmail.com
Sun May 24 16:17:18 UTC 2020
On Sat, 2020-05-16 at 01:37 +0200, nusenu wrote:
> > I can not really say anything about how this design compares to
> > other
> > approaches, since I don't know how I can setup meaningful test
> > scenarios to compare them.
>
> Do we really need test setups to discuss protocol designs
> and compare protocols with a common threat model if specs for the
> protocols are available?
>
I think it depends on the context. However, if you want to neglect the
context you can just compare plain DNS employing DNSSEC (authenticity
and integrity) to DoH / DoT (confidentiality). There are quite a few
comparisons out there, e.g.: [1].
[1]
https://blog.circuitsofimagination.com/2018/11/08/dns-o-t-dnssec-dns-o-h.html
> > However, I would appreciate if you could
> > share how to setup such test environments.
>
> take your preferred DoT client implementation that supports the
> strict profile (RFC8310)
> or your preferred DoH implementation and route it over tor to your
> resolver of choice.
>
If you put it like this, then the proposed design would save the
required TLS / HTTPS handshake you have in DoT / DoH and would add
authenticity and integrity verification of DNS responses. However, the
confidentiality you get with DoH / DoT (at the exit realy, which may
not even be necessary?) would be missing.
>
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
More information about the tor-dev
mailing list