[tor-relays] Running an exit? Please secure your DNS with DNSCrypt+Unbound

Sun Dec 20 00:55:23 UTC 2015

On 12/19/2015 11:23 PM, Jesse V wrote:
> Hey everyone,
> 
> This is an advisory for anyone running an exit node, but it also applies
> to any Linux setup where you don't trust your DNS server. TL;DR: this is
> a guide for switching unsecured DNS to DNSCrypt + Unbound, which
> prevents a network host from monitoring DNS lookups, thus increasing
> privacy for everyone using Tor.
> 
> A few weeks ago I set up some exits and I recently discovered that the
> host was using 8.8.8.8, Google's DNS, as a resolutions service. As in,
> they had "nameserver 8.8.8.8" in /etc/resolv.conf. Convenient for them,
> but it meant that every request was sent to Google for resolution. This
> is bad because Google can then track DNS lookups and so can anyone
> watching unencrypted DNS as it travels across the country. In fact, DNS
> is specifically mentioned in the "Tor Sucks" NSA slides. Compounding
> this, most Linux boxes don't use a DNS cache, so literally every lookup
> is sent to Google, so this didn't exactly inspire confidence.
> 
> After talking with cacahuatl, ncl, and pskosinski on IRC, I switched to
> DNSCrypt, a FOSS protocol that encrypts DNS lookups across the wire. I
> also set up the Unbound DNS cache, thus accelerating queries while also
> preventing the DNSCrypt server from observing every lookup. Then I
> redirect /etc/resolv.conf to use Unbound, which itself used DNSCrypt.
> This protected Google or my host from watching DNS lookups. Here's how I
> did it:
> 

[snip]

> 
> At this point "host torproject.org" should work out of the box using
> DNSCrypt + Unbound and nobody but you and the DNSCrypt resolver can see
> your query. Be sure to review
> https://gist.github.com/Jesse-V/675b7ec87eca864887e6 to avoid any
> SERVFAIL headaches. Enjoy!
> 

Tor relay operators should agree on a threat model, that effectively
would be the the whole Tor networkp's threat model. From the initial Tor
design documents [1] we know for example that Tor does not try to
protect from a "global passive adversary". We could/should elaborate on
that.

Coming to your suggestion, running DNSCrypt in Tor relays. DNS is
inherently problematic being neither encrypted nor authenticated (okay
there is DNSSEC for authentication, but...). Using DNSCrypt will encrypt
DNS queries and responses from your Tor relay to the DNSCrypt resolver.
>From that point on you do not know and cannot control how the resolver
is going to do with DNS queries. And you don't know if that resolver
uses Google or is compromised or is malicious etc.

So I would say that DNSCrypt basically protects you from the hosting
provider of your Tor relay. And given that nature of Tor network, its
threat model, the various available attacks to relays and users, I don't
think there is a benefit of using DNS encryption against your ISP.
Remember, your ISP is the one who routes your relay's traffic and can do
all sort's of nasty things, eg traffic correlation.

On the other hand, I would say using a local DNS cache can increase both
your relay's performance and perhaps offers a slight privacy gain to tor
clients, given that a cached DNS response will be served directly to a
tor client rather than querying an external resolver for the 2nd time.

Hope it makes sense,
Cheers