[tor-relays] Should new exit relays be probed for public DNS resolvers
flux
tor at cyb3rwr3ck.net
Thu Mar 5 15:50:28 UTC 2020
>From my point of view its much more helpful to run an DoH (or DNSCrypt,
DoT if you like) client on an exit and randomly distribute requests to a
set of DoH/DNSCrypt/DoT-Servers to hide the actual DNS Requests an exit
is doing from an adversary which might use this information for
correlation.
As the requests are randomly distributed between a set of servers this
additionally fixes the problems of a single entity answering/monitoring
all DNS requests.
Unfortunately root servers doesn't support encrypted DNS (except of
openNIC but I dont think they are not an option for a general
recommendation because only 9 servers are currently supporting encryption).
BUT: By using for example the list of encrypting dns servers and
dnscrypt-proxy the dnscrypt project is offering it would be easy to
implement a huge set of relays using a random set of DoH or DNSCrypt
enabled dns servers.
Regards,
flux
On 3/5/20 3:45 PM, Alec Muffett wrote:
>
>
> On Thu, 5 Mar 2020 at 14:37, Iain Learmonth <irl at torproject.org
> <mailto:irl at torproject.org>> wrote:
>
> On 05/03/2020 14:20,Nathaniel Suchy wrote:
> > It’s not a threat model issue.
>
> Who gets to see Tor users DNS requests is exactly a threat model
> issue.
>
>
> Concur. That is exactly the reason that I am asking clarification of
> Nathaniel's perspective, here.
>
> I'm currently doing some research on the area, and am particularly
> interested in which/all of Nathaniel is concerned by:
>
> 1/ blocking of Tor-users' DNS requests
> 2/ tampering with Tor-user's DNS requests
> 3/ surveillance of Tor-users' DNS requests
> 4/ *corporate* surveillance of Tor-users' DNS requests
> 5/ other...
>
> Because if Nathaniel is primarily interested in 3 and 4 from that
> list, then this is a particularly interesting video to watch (cued up
> to 0:33 for convenience)
>
> https://www.youtube.com/watch?v=FrGZczZ8tyU&t=0m33s
>
> ...and which, with a little reflection regarding the "anonymity loves
> company" philosophy of Tor, suggests that the solution might in part
> be MORE AND PRIVATE use of "big" resolvers... because the little ones
> are just as much, perhaps more of a risk.
>
> -a
>
> --
> http://dropsafe.crypticide.com/aboutalecm
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20200305/5a4b7f66/attachment.html>
More information about the tor-relays
mailing list