On Sat, 2020-05-16 at 01:37 +0200, nusenu wrote:
I can not really say anything about how this design compares to other approaches, since I don't know how I can setup meaningful test scenarios to compare them.
Do we really need test setups to discuss protocol designs and compare protocols with a common threat model if specs for the protocols are available?
I think it depends on the context. However, if you want to neglect the context you can just compare plain DNS employing DNSSEC (authenticity and integrity) to DoH / DoT (confidentiality). There are quite a few comparisons out there, e.g.: [1].
[1] https://blog.circuitsofimagination.com/2018/11/08/dns-o-t-dnssec-dns-o-h.htm...
However, I would appreciate if you could share how to setup such test environments.
take your preferred DoT client implementation that supports the strict profile (RFC8310) or your preferred DoH implementation and route it over tor to your resolver of choice.
If you put it like this, then the proposed design would save the required TLS / HTTPS handshake you have in DoT / DoH and would add authenticity and integrity verification of DNS responses. However, the confidentiality you get with DoH / DoT (at the exit realy, which may not even be necessary?) would be missing.
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev