[tor-talk] Tor DNS

Thu Jul 31 12:22:02 UTC 2014

Thanks for the response Ondrej.

I was thinking specifically for the .onion addresses as opposed to the conventional www addressing.  When the client first recognises the .onion domain, could a DNS be set up within Tor dealing only with .onion hostnames/domain space and conventional DNS requests for www be handled as currently (or developed as per proposal 129)?

My thought was that [hiddenservice].onion would be dealt with by the Tor NameServer to return the hostname (derived from public key).  From here the hidden services protocol would continue as per normal.  The only weakness would be the security of the information coming back from the D/NS pointing to the same hostname.onion; however with Tor circuit/s to the DNS this should negate such an attack.  Further to your comment about the request leaving the Tor network; these DNS requests would be handled internally, never leaving the network.  Is this feasible and reliably reproducible?

Just as there was the increasing need for the Tor search engine, this would (I believe) encourage more people to benefit from presenting their information/services in a usable format.

I note your further comments about the cost/resources of registering the TLD .onion, but there may be a time when there is a business model that can benefit from the investment and returns.

Yours sincerely

Mike Fikuart IEng MIET

Mobile: 07801 070580
Office: 020 33840275
Blog: mikefikuart
Skype: mikefikuart
Twitter: mikefikuart
LinkedIn: mikefikuart

On 30 Jul 2014, at 22:43, Ondrej Mikle <ondrej.mikle at gmail.com> wrote:

Hi,

On 07/30/2014 01:43 PM, Mike Fikuart wrote:
> I am aware that there is a Project Idea (under
> https://www.torproject.org/getinvolved/volunteer.html.en#improvedDnsSupport)
> point q. Improved DNS support for Tor;

I am the author of the proposal 219.

If you want DNS, you can make it work today via a tunnel with Unbound. One
sample howto: https://labs.nic.cz/page/993/ - DNSSEC is optional

> however has there been any exploration or development of a fully fledged
> DNS system for Tor

I have spent more than half a year trying to make it work. Most time spent was
due to DNSSEC and especially its latency - it is quite easy to have 20
roundtrips for one DNS request because of CNAME and DNAME. Which can take 5-20
seconds - incurring seemingly "random" errors (from the user's point of view).

On a good day with good circuit and "heated cache" you can get average ~3 secs
to resolve a request.

> that could give human readable names to hidden services?

This is not a good idea for many reasons. I'm not up-to-date with the latest
rendezvous protocol, but AFAIK the DNS request would be sent from different
exit node than the nodes used for rendezvous - which would in turn make
correlation attacks easier.

> If further consideration is given to also pursuing the registration of the
> .onion domain as a TLD, this could also open further publicity and revenue
> for the Tor Project.   The domain auctions for .tv and .co raised
> significant revenue for the Tuvalu and Colombian countries not to mention
> the managing organisations.

TLD costs $150k USD as "down payment" and requires additional infrastructure
to support the gTLS which is not cheap. There are much better ways how to
spend the resources.

> Has any of this been looked at previously or are there reasons why this is
> not being pursued?

DNS being 30+ years old has incredibly many special cases. There are
quick-and-dirty implementations but that's probably not what one would want
with anonymity software.

Ondrej
-- 
tor-talk mailing list - tor-talk at lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140731/0bee42f4/attachment.sig>