* on the Mon, Sep 01, 2014 at 10:56:30AM -0700, merc1984@f-m.fm wrote:
Lol, first of all Copernicus, I have made no posts in that stackexchange thread. I do have the same concern though, as it is legitimate. Second, I believe all the answers there are wrong because an exit node could not resolve .onion addresses by the time a query gets there.
I suspect that TOR DNS is TCP, and that relays can also resolve. But then, so far it seems that no one actually knows.
The exit nodes do the DNS requests. The client doesn't see an IP address. It connects to the Tor SOCKS interface and says, "connect me to hostname example.com on port N". It doesn't look up the IP address of "example.com" and *then* connect to it. Hidden services don't have IP addresses and DNS resolution isn't involved in routing connections to them.
There is an exception to this. You *can* use the DNSPort option in your torrc and then your Tor client will expose a DNS server interface on a local UDP port of your choice. Your DNS requests which are sent to this interface are then forwarded over Tor to the Exit node which then looks them up on your behalf. It only works for A, AAAA and PTR records at the moment IIRC.
The vast majority of Tor users will not make any DNS requests over the Tor network. If you don't understand this, read up on how SOCKS works.
To those whose skirts I've blown up about DNSSEC, you must not understand that what we have now is very susceptible to DNS Cache Poisoning.
I am a fan of DNSSEC and use it on my own domains. However, it wouldn't help on Tor as much as you think it would:
If you're visiting a non-SSL website, the web traffic can still be viewed and modified by a malicious exit node regardless of if DNSSEC is in use, so DNSSEC doesn't gain us anything here...
And if you're visiting an SSL secured website, a malicious exit node can't view/modify your traffic without triggering certificate alerts anyway regardless of the existence of DNSSEC.
And on top of this, they can route your traffic to whatever IP they want. So even if you get a DNSSEC signed response telling you to connect to IP address "a.b.c.d", they can still re-route your attempt to connect to "a.b.c.d" to whatever IP they want.
This is a serious problem. And if you don't take this seriously, either you clearly do not understand the problem, or you are not telling us why it is not a problem.
Which problems will DNSSEC solve for Tor users?
IDC if the solution is DNSSEC, DNSCurve, or Waltzing with DNS, but I say this is a serious problem that must be addressed.
DNSSEC and DNSCurve are completely different solutions for completely different problems and can be used independently or at the same time.
I don't think you've effectively said what the problem which you want addressing actually is.