On 12/19/2015 11:23 PM, Jesse V wrote:
Hey everyone,
This is an advisory for anyone running an exit node, but it also applies to any Linux setup where you don't trust your DNS server. TL;DR: this is a guide for switching unsecured DNS to DNSCrypt + Unbound, which prevents a network host from monitoring DNS lookups, thus increasing privacy for everyone using Tor.
A few weeks ago I set up some exits and I recently discovered that the host was using 8.8.8.8, Google's DNS, as a resolutions service. As in, they had "nameserver 8.8.8.8" in /etc/resolv.conf. Convenient for them, but it meant that every request was sent to Google for resolution. This is bad because Google can then track DNS lookups and so can anyone watching unencrypted DNS as it travels across the country. In fact, DNS is specifically mentioned in the "Tor Sucks" NSA slides. Compounding this, most Linux boxes don't use a DNS cache, so literally every lookup is sent to Google, so this didn't exactly inspire confidence.
After talking with cacahuatl, ncl, and pskosinski on IRC, I switched to DNSCrypt, a FOSS protocol that encrypts DNS lookups across the wire. I also set up the Unbound DNS cache, thus accelerating queries while also preventing the DNSCrypt server from observing every lookup. Then I redirect /etc/resolv.conf to use Unbound, which itself used DNSCrypt. This protected Google or my host from watching DNS lookups. Here's how I did it:
[snip]
At this point "host torproject.org" should work out of the box using DNSCrypt + Unbound and nobody but you and the DNSCrypt resolver can see your query. Be sure to review https://gist.github.com/Jesse-V/675b7ec87eca864887e6 to avoid any SERVFAIL headaches. Enjoy!
Tor relay operators should agree on a threat model, that effectively would be the the whole Tor networkp's threat model. From the initial Tor design documents [1] we know for example that Tor does not try to protect from a "global passive adversary". We could/should elaborate on that.
Coming to your suggestion, running DNSCrypt in Tor relays. DNS is inherently problematic being neither encrypted nor authenticated (okay there is DNSSEC for authentication, but...). Using DNSCrypt will encrypt DNS queries and responses from your Tor relay to the DNSCrypt resolver.
From that point on you do not know and cannot control how the resolver
is going to do with DNS queries. And you don't know if that resolver uses Google or is compromised or is malicious etc.
So I would say that DNSCrypt basically protects you from the hosting provider of your Tor relay. And given that nature of Tor network, its threat model, the various available attacks to relays and users, I don't think there is a benefit of using DNS encryption against your ISP. Remember, your ISP is the one who routes your relay's traffic and can do all sort's of nasty things, eg traffic correlation.
On the other hand, I would say using a local DNS cache can increase both your relay's performance and perhaps offers a slight privacy gain to tor clients, given that a cached DNS response will be served directly to a tor client rather than querying an external resolver for the 2nd time.
Hope it makes sense, Cheers