[tor-dev] Support for full DNS resolution and DNSSEC validation

Christian Hofer chrisss404 at gmail.com
Mon May 25 16:45:03 UTC 2020 

On Sun, 2020-05-24 at 19:01 +0200, nusenu wrote:
> Christian Hofer:
> > On Sat, 2020-05-16 at 01:37 +0200, nusenu wrote:
> > > Alexander Færøy:
> > > > I wonder if it would make more sense to have an onion-aware
> > > > DNSSEC-enabled resolver *outside* of the Tor binary and have a
> > > > way
> > > > for
> > > > Tor to query an external tool for DNS lookups. 
> > > 
> > > I'm also in favor of this approach,
> > > and you can do this today with no code changes to tor at all.
> > > 
> > > CF demonstrated it even before DoH/RFC8484 was finalized:
> > > https://blog.cloudflare.com/welcome-hidden-resolver/
> > > 
> > 
> > Do you have DNSSEC validation in this approach? 
> 
> That is up to you. If you use a stub resolver that has DNSSEC support
> (like 
> stubby) you have DNSSEC validation.
> 
> 
> > > + 1 for DoT and DoH over tor, especially due to the DoH
> > > implementation that is
> > > available in firefox (it would still require work on stream
> > > isolation
> > > and caching
> > > risks to ensure the usual first party isolation).
> > > In terms of achieving a big improvement on tor browser users in
> > > the
> > > context of DNS
> > > this would be the most effective path to spend coding resources
> > > on in
> > > my opinion.
> > > 
> > > 
> > 
> > It seems that Firefox's DoH implementation does not employ DNSSEC
> > validation, see [2]. They trust CF doing it for them. Be careful
> > here.
> 
> I'm aware that firefox does not perform DNSSEC validation. I don't
> think
> the tor project would enable DNSSEC in Tor Browser without a good
> use-case or a (future) TLS extensions solving
> the latency issue. Since DANE for HTTPS does not appear to be a thing
> and there is no DANE support in firefox
> I'm also wondering about the specific use-cases for DNSSEC in Tor
> Browser.
> 
> > Furthermore, there are privacy concerns about additional metadata
> > regarding the use of DoH (agent headers,
> 
> solved since https://bugzilla.mozilla.org/show_bug.cgi?id=1543201
> 
> > language settings, 
> 
> solved since https://bugzilla.mozilla.org/show_bug.cgi?id=1544724
> 

Well done!

> > and cookies) 
> 
> I don't think firefox sends cookies in DoH requests.
> 
> 
> I'm still curious about the underlying threat model and use-cases (my
> first questions in this thread), 
> since that would help with trying to understand what you are trying
> to achieve.
> 

The thread model is DNS hijacking. Yes, you can prevent DNS hijacking
using DoH if you *trust* the resolver you connect to. However, if you
want to verify authenticity and integrity of DNS responses you need
DNSSEC.

Maybe this is not a real concern, otherwise you might have already
considered it.

> kind regards,
> nusenu
> 

BR
Christian

> 
> 
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

More information about the tor-dev mailing list