[tor-talk] TAILS uses one DNS server from OpenDNS **WARNING **

Michael Wolf mikewolf53 at gmail.com
Mon Oct 28 03:06:40 UTC 2013

On 10/27/2013 2:06 PM, Ted Smith wrote:
> On Sun, 2013-10-27 at 03:41 -0400, Michael Wolf wrote:
>> On 10/27/2013 12:15 AM, communicationsystem at Safe-mail.net wrote:
>>> Tails uses one DNS server from OpenDNS.
>>> What prevents a malicious party from signing up exit nodes at OpenDNS and logging traffic, blocking content, and/or redirecting traffic?
>> Assuming the malicious party runs the exit node, what prevents them from
>> doing any of these things anyway?
> OpenDNS authenticates by IP, so anyone using the exit node can change
> the OpenDNS settings if the exit node operator hasn't made an account. 
> The exit node operator can do all of those things, but anyone using Tor
> can do them with OpenDNS.

But, unless something has changed, Tor doesn't use the local client's
DNS resolvers, the exit node uses its own resolvers:


"Section 6.2 of the tor-spec.txt[5] outlines the method for connecting
to a specific host by name. Specifically, the Tor client creates a
RELAY_BEGIN cell that includes the DNS host name. This is transported
to the edge of a given circuit. The exit node at the end of the circuit
does all of the heavy lifting, it performs the name resolution directly
with the exit node's system resolver.

If all goes well, the exit node will respond with a RELAY_CONNECTED
cell. If successful the payload of this cell will include the IPv4
address for the host name. In theory, it may include an IPv6 address."

Once upon a time, Tails used ttdnsd for resolving DNS, which would have
used ttdnsd's resolvers.  This changed as of Tails 0.13


That last document explains that ttdnsd is still installed, configured,
and running, but it is not part of the 'normal DNS resolution loop'.  It
also mentions why OpenDNS was chosen (Google's DNS server started
blocking connections from Tor).

If it is actually possible for an anonymous user to set up an OpenDNS
account on behalf of an exit relay, the warning here should be that exit
relays should never use OpenDNS (unless they preemptively set up an
account).  Except in rare cases, the client's settings do not matter.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20131027/5cbc804d/attachment.sig>

More information about the tor-talk mailing list