[tor-relays] dnsmasq configuration for an exit relay (Debian)
teor
teor2345 at gmail.com
Sun Oct 8 20:40:01 UTC 2017
On 8 Oct 2017, at 16:24, Ralph Seichter <m16+tor at monksofcool.net> wrote:
>> who is aware of the query is not all that matters ; the apparent
>> origin of the query also matters, depending of the position of the
>> attacker.
>
> Sure, but keep in mind: Even if an attacker could gain access to all
> root zone servers, he could not see the necessary follow-up queries on
> TLD level (e.g. country domains, or .com, .net, etc.) and beyond. If I
> looked up host.somedomain.fr, a root zone snoop might show my interest
> in a French domain, but nothing else.
This is only true if your resolver implements QNAME minimisation:
https://tools.ietf.org/html/rfc7816
> Currently, when a resolver receives the query "What is the AAAA record for www.example.com?", it sends to the root (assuming a cold resolver, whose cache is empty) the very same question. Sending the full QNAME to the authoritative name server is a tradition, not a protocol requirement.
Does the version of the recursive resolver you're using
do this?
Or does it send only the minimal name required?
T
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20171008/6e7cab05/attachment.html>
More information about the tor-relays
mailing list