[tor-talk] ICANN and .onion

grarpamp grarpamp at gmail.com
Fri May 30 08:21:35 UTC 2014 

>>> Users leaking dns / failing to redirect dns into tor is not a tor problem.

I'm going to rebut these two replies a bit.

TPO makes Tor, the client, and some surrounding tools, and docs,
and efforts regarding Tor in the world. It's not Tor's responsibility to
somehow reach into users machines, understand all their configs,
and magically reconfigure them and all their apps to talk to Tor.
Tor provides the client interface, users must get their packets there.
Tor does help by providing a wiki/tor-talk/irc/stackX/etc where users
can discuss how to do that for their apps/OS. And they do provide
TBB. Users can further choose from Tails/Whonix, etc. But ultimately,
as with any other tool, it's up to the user, not Tor. I want users at
all levels to be able to use tor properly, but the amount of work and
handholding is simply outside the scope and capability of TPO.

FWIW, I think out of...
- Developing TBB.
- Spending time to, in fact, say, have the client trigger each OS's
routing/filter API into routing everything into tor.
...that it's better that tpo do tbb because tbb tech (and pushing it
upstream) is more valuable to the world than turning your box into
yet another boring single purpose router brick (that has already been
done, and users can customize by using the above resources).

> If it was not a Tor
> problem, .onion would not be needed in the first place.

.onion HS is unrelated to the 'place' of apps 'leaking' dns.
The talk of how to handle a day if .onion becomes a
non-reserved-for-tor clearnet tld is also separate from that.
(Or Tor could simply elect to flag day over to .noino, but
that could become an arms race.)

> But for non-hackers, the reality is that apart from booting Tails and
> enjoying a proper Tor setup, installing the Tor package on most distros
> does not come with pre-installed DNS and *will* leak queries by default.

Tor client is not a sysadmin app, so it follows standard models
to not go mucking around your system like an SA. That includes
pointing the system resolver to DNSPort (which would break
everything to go in that default direction), or "come with pre-installed
DNS" (daemon and configs presumably).

DNS "leaks" really refer to, and only occur as a result of, apps
that fail to send DNS alongside TCP according to an applicable
SOCKS5 directive given to them. Or from uncharacterized/unsolved
situations with torsocks (due again to apps/system doing
odd things). Those, or users simply not configuring things
(that do work correctly) into tor properly, are not a tor problem.

You have to learn and know what you're doing to use Tor
properly, and in a way that suits your setup, it says so
right on the tin.
Or go for prepackaged TBB, Tails, Whonix.

More information about the tor-talk mailing list