On Thu, Jan 19, 2012 at 7:39 AM, Linus Nordberg linus@nordberg.se wrote:
Hi,
After some interesting discussions irl last week with knowledgeable DNS and security people (hi Jakob) I'd like to hear from people involved with DNS in Tor what current status is and what needs to be done.
More specifically, what's the status of ttdnsd and TorDNSd? Are they being used? Any thoughts about having a local validating resolver?
I know there's been some discussions (4zm, are you here?) about using libunbound (which could be interesting for DNSSEC support). Did that evolve into anything useful?
I'm by no means a DNS expert but would love to see some discussion about this, partly because future IPv6 work will depend on changes to our DNS system.
Hi, Linus!
So, I think that what we actually need from a proper way to do DNS over Tor is a way for the Tor client to make real DNS requests to get handled by an exit node's DNS server or servers. Right now, we don't have that; we have a pile of half-measures instead.
Specifically, here's Tor's DNS support now: * when the client uses a BEGIN relay cell to open a new stream, the exit node does a lookup on the requested hostname at its nameservers, connects there, and tells the client what the IP was. No info about the lookup other than the IPv4 address is returned. * A client can use a RESOLVE relay cell to do an A lookup, an AAAA lookup (not supported iirc), or a PTR lookup at the exit node's nameservers. But they don't get back the full answer; they only get back the IP address or hostname.
Originally, we limited the DNS functionality that the exit node would expose for you because we were worried about what kind of shennanegans somebody could do with an arbitrarily crafted DNS request, and so we restricted ourselves to a minimalist subset. (This was back when Dan Kaminski's favorite hobby was finding unexpected applications of DNS, like streaming video and whatnot.)
But I think the right design is probably something like allowing clients to request more DNS info via exit nodes' nameservers, and get more info back. We should think of ways to do this that avoid extra round trips, but that should be doable.
At the most extreme, this could just give clients the ability to generate arbitrary DNS requests and get the entire response back. If that seems worrisome, we could limit the form of the requests to a reasonable subset, prevent various "christmas-tree" requests, and so on. I don't personally understand the security issues here too well, but I know they exist.
As an aside, DNSSEC for hostname lookup only helps so much here: If I know for certain that www.example.com is 10.2.3.4, that doesn't really help me if I can't know whether I'm really talking to 10.2.3.4. But there are DNSSEC uses, such as TLS certificate stapling, that would still be reasonable to do over Tor.
yrs,