[tor-talk] Tor DNS

Ondrej Mikle ondrej.mikle at gmail.com
Wed Jul 30 21:43:30 UTC 2014


On 07/30/2014 01:43 PM, Mike Fikuart wrote:
> I am aware that there is a Project Idea (under
> https://www.torproject.org/getinvolved/volunteer.html.en#improvedDnsSupport)
> point q. Improved DNS support for Tor;

I am the author of the proposal 219.

If you want DNS, you can make it work today via a tunnel with Unbound. One
sample howto: https://labs.nic.cz/page/993/ - DNSSEC is optional

> however has there been any exploration or development of a fully fledged
> DNS system for Tor

I have spent more than half a year trying to make it work. Most time spent was
due to DNSSEC and especially its latency - it is quite easy to have 20
roundtrips for one DNS request because of CNAME and DNAME. Which can take 5-20
seconds - incurring seemingly "random" errors (from the user's point of view).

On a good day with good circuit and "heated cache" you can get average ~3 secs
to resolve a request.

> that could give human readable names to hidden services?

This is not a good idea for many reasons. I'm not up-to-date with the latest
rendezvous protocol, but AFAIK the DNS request would be sent from different
exit node than the nodes used for rendezvous - which would in turn make
correlation attacks easier.

> If further consideration is given to also pursuing the registration of the
> .onion domain as a TLD, this could also open further publicity and revenue
> for the Tor Project.   The domain auctions for .tv and .co raised
> significant revenue for the Tuvalu and Colombian countries not to mention
> the managing organisations.

TLD costs $150k USD as "down payment" and requires additional infrastructure
to support the gTLS which is not cheap. There are much better ways how to
spend the resources.

> Has any of this been looked at previously or are there reasons why this is
> not being pursued?

DNS being 30+ years old has incredibly many special cases. There are
quick-and-dirty implementations but that's probably not what one would want
with anonymity software.


More information about the tor-talk mailing list