[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] HOW-TO: Simple DNS resolver for tor exit operators

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] HOW-TO: Simple DNS resolver for tor exit operators
From: Ralph Seichter <m16+tor@xxxxxxxxxxxxxxx>
Date: Tue, 12 Sep 2017 23:18:34 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 12 Sep 2017 17:18:56 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=monksofcool.net; s=bravo; t=1505251115; bh=MOg55xhUzgjWwClYZC7zWsX3faA+3keQ4kfk+laxBrc=; h=Subject:To:References:From:Message-ID:Date:User-Agent:In-Reply-To: Content-Type:Content-Language; b=QlBBNs9RUfsntyfd6HdRG7Sn5fWkyzabwLtmEXPVBr+6yzs/PCpoVvGU30lN4A6MY 9QjSUKH9wAmDHezOdp7W0FghKDW3v4W3ddeytbXrlyQofoIPCapXwqlxBaFVPJTEBK Eu1+Z9PrUvusga1xzCvNvzr5CO1Vh8Wim7QqBJ0HTca6/drCEi9NQyjvmXOwhOuBex mdUlVRoSf88PCo1XjNKQ6/3JlZ/lAv65qbz6xiFEoZM3zJaux6Xdo96YUUFFsrZh+N 54h2MWyS9F/kGCkMPADRs0hnBFir47kqwoUr0XmEmjUairjZg0uY2z/9oEen3KexRN eLPKlNSv/UCIg==
In-reply-to: <1375812826.1766493.1505250057679.JavaMail.zimbra@laposte.net>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <1375812826.1766493.1505250057679.JavaMail.zimbra@laposte.net>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0

On 12.09.17 23:00, jpmvtd261@xxxxxxxxxxx wrote:

> An attacker can try to find what websites a Tor user has visited, by
> comparing :
> - the timing of Tor user home connection traffic and
> - the timing of DNS queries happening on DNS servers controlled by the attacker

I'm aware of that. With a caching resolver running on the exit node, the
only "DNS servers controlled by the attacker" would have to be upstream,
the ones required to resolve what the Tor client requested in the first
place. Your idea of query noise does not mitigate the risk of upstream
DNS servers being taken over or monitored by an attacker. I run redundant
DNS servers which host all of my domains (which are DNSSEC signed), and
caching resolvers on all my Tor nodes. That's tough to mess with.

The problem is that people don't always run their own exit-node based
resolvers, but forward to Google's infamous 8.8.8.8 et al. People should
at the very least check if their respective ISP runs caching resolvers,
which most do to reduce traffic.

-Ralph
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- Re: [tor-relays] HOW-TO: Simple DNS resolver for tor exit operators
  - From: jpmvtd261

Prev by Author: [tor-relays] Rate setting in tor
Next by Author: Re: [tor-relays] Would you also like to have family-level atlas pages?
Previous by thread: Re: [tor-relays] HOW-TO: Simple DNS resolver for tor exit operators
Next by thread: [tor-relays] Two-step abuse management?
Index(es):
- Author
- Thread