[tor-relays] HOW-TO: Simple DNS resolver for tor exit operators
Igor Mitrofanov
igor.n.mitrofanov at gmail.com
Tue Sep 12 20:43:35 UTC 2017
I wonder if these are all half-measures, and Tor needs a first-class solution to the DNS weakness.
Every Tor relay can have a simple resolver built-in, and/or perhaps all Tor relays could be running a DHT-style global DNS cache.
In case of a cache miss, the exit relay could build a circuit to another relay and ask it to query core DNS servers on its behalf.
Alternatively, the Tor community could run our own DNS servers, and every exit node would use those by default.
...I have seen some papers discussing DNS-assisted traffic correlation attacks, but I still don't know how serious that threat is.
I am basically not sure if DNS is a high-priority vulnerability right now, or just a distraction.
-----Original Message-----
From: tor-relays [mailto:tor-relays-bounces at lists.torproject.org] On Behalf Of Ralph Seichter
Sent: Tuesday, September 12, 2017 1:25 PM
To: tor-relays at lists.torproject.org
Subject: Re: [tor-relays] HOW-TO: Simple DNS resolver for tor exit operators
On 12.09.17 22:11, jpmvtd261 at laposte.net wrote:
> My idea is designed to protect the exit node against a DNS attack from
> the owner of the DNS server. Not from the ISP or an attacker
> monitoring the traffic going in and out of the ISP data center.
I'm not certain what you consider a "DNS attack".
Many exit node operators run a caching DNS resolver on their exits, which is easily done. Lacking that, you can use the resolvers run by your ISP, who can monitor all outbound traffic anyway, as I mentioned.
-Ralph
_______________________________________________
tor-relays mailing list
tor-relays at lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
More information about the tor-relays
mailing list