[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Support for full DNS resolution and DNSSEC validation



On Sat, 2020-05-16 at 01:37 +0200, nusenu wrote:
> > I can not really say anything about how this design compares to
> > other
> > approaches, since I don't know how I can setup meaningful test
> > scenarios to compare them. 
> 
> Do we really need test setups to discuss protocol designs 
> and compare protocols with a common threat model if specs for the
> protocols are available? 
> 

I think it depends on the context. However, if you want to neglect the
context you can just compare plain DNS employing DNSSEC (authenticity
and integrity) to DoH / DoT (confidentiality). There are quite a few
comparisons out there, e.g.: [1]. 

[1] 
https://blog.circuitsofimagination.com/2018/11/08/dns-o-t-dnssec-dns-o-h.html

> > However, I would appreciate if you could
> > share how to setup such test environments. 
> 
> take your preferred DoT client implementation that supports the
> strict profile (RFC8310)
> or your preferred DoH implementation and route it over tor to your
> resolver of choice.
> 

If you put it like this, then the proposed design would save the
required TLS / HTTPS handshake you have in DoT / DoH and would add
authenticity and integrity verification of DNS responses. However, the
confidentiality you get with DoH / DoT (at the exit realy, which may
not even be necessary?) would be missing.

> 
> _______________________________________________
> tor-dev mailing list
> tor-dev@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev