On Mon, Sep 1, 2014, at 10:19, Артур Истомин wrote:

On Mon, Sep 01, 2014 at 04:33:34PM +0000, David Stainton wrote:

...

Dear merc1984@f-m.fm,

Is DNSSEC is not evil? To me it seems like the 1984 of domain name systems... Please take a good look at the political implications of DNSSEC. I personally do not understand why this Tor Project spec includes mention of DNSSEC: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/219-expanded-...

Can we use djb's DNSCurve instead of DNSSEC? Perhaps I misunderstand the situation and the difference between DNSCurve and DNSSEC. Perhaps "ZOMG someone is wrong on the Internet!" will spark someone else's interest in correcting me here in this discussion. I personally think that people mentioning DNSSEC on tor communications channels must either have an agenda to help the US government gain more control of the Internet... or they must be trolls. But maybe I am totally wrong about this. I'd be interested in hearing a correction if I am wrong... and does this mean the DJB is also wrong? =-) https://en.wikipedia.org/wiki/DNSCurve

Yeah, he is troll or/and NSA's agent :) He's already got the answer exactly the same as yours, from two people from tor-talk:

https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/219-expanded-... 2. DNSSEC is suck, not security technology.

to merc1984@f-m.fm, is it act of sabotage? Stop it or I will come for you! ;)

Lol, first of all Copernicus, I have made no posts in that stackexchange thread. I do have the same concern though, as it is legitimate. Second, I believe all the answers there are wrong because an exit node could not resolve .onion addresses by the time a query gets there.

I suspect that TOR DNS is TCP, and that relays can also resolve. But then, so far it seems that no one actually knows.

To those whose skirts I've blown up about DNSSEC, you must not understand that what we have now is very susceptible to DNS Cache Poisoning. This is a serious problem. And if you don't take this seriously, either you clearly do not understand the problem, or you are not telling us why it is not a problem.

IDC if the solution is DNSSEC, DNSCurve, or Waltzing with DNS, but I say this is a serious problem that must be addressed.

Yeah, I'm an NSA agent, trying to tell you about a serious problem with TOR which you are too stupid to see. pfff Gourd-head and come after me, lol.

On Mon, Sep 1, 2014, at 11:54, Mike Cardwell wrote:

The exit nodes do the DNS requests. The client doesn't see an IP address. It connects to the Tor SOCKS interface and says, "connect me to hostname example.com on port N". It doesn't look up the IP address of "example.com" and *then* connect to it. Hidden services don't have IP addresses and DNS resolution isn't involved in routing connections to them.

So when I request to connect to example.com, that request goes all the way to the exit node, which then is supposed to do the DNS lookup? Again, this is impossible, as .onion domains would be bypassed.

I am a fan of DNSSEC and use it on my own domains. However, it wouldn't help on Tor as much as you think it would:

If you're visiting a non-SSL website, the web traffic can still be viewed and modified by a malicious exit node regardless of if DNSSEC is in use, so DNSSEC doesn't gain us anything here...

And if you're visiting an SSL secured website, a malicious exit node can't view/modify your traffic without triggering certificate alerts anyway regardless of the existence of DNSSEC.

And on top of this, they can route your traffic to whatever IP they want. So even if you get a DNSSEC signed response telling you to connect to IP address "a.b.c.d", they can still re-route your attempt to connect to "a.b.c.d" to whatever IP they want.

That all happens after the DNS lookup has taken place. That is not the issue I am raising, but it is concerning that it hasn't been thought of either.

DNSSEC and DNSCurve are completely different solutions for completely different problems and can be used independently or at the same time.

I don't think you've effectively said what the problem which you want addressing actually is.

First off, I don't trust DNSCurve, given that some algos of elliptic curve are proven compromised, and I don't care if DNSCurve doesn't use them. At this point all of elliptic curve is suspect until proven otherwise.

Second, it seems clear that no one so far understands the hazard of DNS Cache Poisoning. To put this in terms that everyone here believes, if an exit node does the DNS and is compromised or operating under the control of a malicious party, that party can subvert DNS requests to their own malicious websites and dupe login credentials and other key information from the requester. Here's more, although I know some here are too lazy to read it: https://en.wikipedia.org/wiki/Dns_cache_poisoning

For non-TOR use I have dnscrypt and unbound set up in a rotary, using resolvers of my choosing, all of which serve my DNS queries encrypted and signed, and they do not keep logs. -I- have chosen these resolvers and they are the most trustworthy that I can arrange at this time. How do I know they don't log? As Schnier says, you have to trust -someone-. If you spitball and poo poo every mechanism that comes along, you end up just letting everything go and turning over all your contacts, your emails, your searches, even your very voice calls to G**gle. I will choose Mom and Pop over G**gle or M$ anytime.

DNSSEC is an attempt to secure DNS from a wide-open vector of attack, which it seems to me that TOR is all too susceptible to. It is alarming to me that DNS cache poisoning hasn't been thought of here. It's thus probably being used. Hell, I'd use it.