[tor-relays] dnsmasq configuration for an exit relay (Debian)

Igor Mitrofanov igor.n.mitrofanov at gmail.com
Sun Oct 8 19:23:13 UTC 2017 

Ralph, you seem to be more concerned with minimizing the number of
hosts involved in a DNS lookup, and you (correctly) believe that
running a recursive resolver yourself, as opposed to delegating it,
decreases that number. If a DNS provider like Hurrican Electric is
your main concern, then I think we are in agreement.

I assume, however, that most of these ISPs have no technical
capability or business incentives to be engaged in Tor traffic
correlation. When it comes to Tor traffic correlation, I am more
concerned with defending Tor users against the already-known
attackers.

According to the leaked documents, there is a large, but not global,
passive adversary confirmed to intercepting and analyzing IP traffic
between targeted hosts, without the capacity to control all network
links, and without the legal authority to hack the hosts themselves. I
am making an assumption that Tor relays sending DNS requests to a
large and diverse number of destinations can make practical
DNS-assisted traffic correlation prohibitively expensive.


On Sun, Oct 8, 2017 at 12:03 PM, Ralph Seichter <m16+tor at monksofcool.net> wrote:
> On 08.10.17 20:48, Igor Mitrofanov wrote:
>
>> Unbound's upstream requests can be intercepted and used in traffic
>> correlation just like any other.
>
> I thought I expressed myself clearly enough, but I'll try one more time.
> Unbound, or any other resolver, can either a) perform the recursive
> lookup or b) delegate the lookup. Case a) is preferable in regards to
> profiling because it does not involve additional third-party servers
> that have nothing to do with the query. Case b) involves third-party
> servers, so it offers more points where traffic can be analysed. Looking
> up host.somedomain.tld should, if no cached data is available, only
> involve one of the root zone servers, one server for the tld zone, and
> one server for the somedomain zone. It should not involve a resolver run
> by Google or other parties that have no business in knowing that my Tor
> node just looked up host.somedomain.tld.
>
>> Yes, Unbound follows the recursive protocol and works with the
>> hierarchy from the root DNS servers down, but your ISP can still
>> observe your entire DNS activity.
>
> I have explicitly stated "If the ISP hosting the Tor node has resolvers
> for their customers, these can be used as well, *since the ISP sees all
> outgoing traffic anyway*". Are you deliberately trying to misunderstand
> me?
>
> -Ralph
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

More information about the tor-relays mailing list