[tor-talk] Tor DNS
ondrej.mikle at gmail.com
Wed Jul 30 21:43:30 UTC 2014
On 07/30/2014 01:43 PM, Mike Fikuart wrote:
> I am aware that there is a Project Idea (under
> point q. Improved DNS support for Tor;
I am the author of the proposal 219.
If you want DNS, you can make it work today via a tunnel with Unbound. One
sample howto: https://labs.nic.cz/page/993/ - DNSSEC is optional
> however has there been any exploration or development of a fully fledged
> DNS system for Tor
I have spent more than half a year trying to make it work. Most time spent was
due to DNSSEC and especially its latency - it is quite easy to have 20
roundtrips for one DNS request because of CNAME and DNAME. Which can take 5-20
seconds - incurring seemingly "random" errors (from the user's point of view).
On a good day with good circuit and "heated cache" you can get average ~3 secs
to resolve a request.
> that could give human readable names to hidden services?
This is not a good idea for many reasons. I'm not up-to-date with the latest
rendezvous protocol, but AFAIK the DNS request would be sent from different
exit node than the nodes used for rendezvous - which would in turn make
correlation attacks easier.
> If further consideration is given to also pursuing the registration of the
> .onion domain as a TLD, this could also open further publicity and revenue
> for the Tor Project. The domain auctions for .tv and .co raised
> significant revenue for the Tuvalu and Colombian countries not to mention
> the managing organisations.
TLD costs $150k USD as "down payment" and requires additional infrastructure
to support the gTLS which is not cheap. There are much better ways how to
spend the resources.
> Has any of this been looked at previously or are there reasons why this is
> not being pursued?
DNS being 30+ years old has incredibly many special cases. There are
quick-and-dirty implementations but that's probably not what one would want
with anonymity software.
More information about the tor-talk