[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-dev] Support for full DNS resolution and DNSSEC validation
- To: tor-dev@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [tor-dev] Support for full DNS resolution and DNSSEC validation
- From: nusenu <nusenu-lists@xxxxxxxxxx>
- Date: Sun, 24 May 2020 19:01:19 +0200
- Autocrypt: addr=nusenu-lists@xxxxxxxxxx; prefer-encrypt=mutual; keydata= mQINBFj53gUBEADYKwT0pW1yiqt6UReZW8T2nXVCyeVT2G6z7AvW69afp82uthRH237pQ7Qs 5vq91DivN6fGN6cVksp0N9Yv+5HEQAwUxpLfcNDcGzmHMd0JMItEtozGv3a4FuiUoHAqeGXM 6Kzi3v5F2PZGF+U4QaGKEZq6u50gO/ZFy4GfC9z9tsO6Cm7s7KldVHMGx/a0MEGMwh6ZI9x2 hGXSSAKu58KRUkEpHzDiQTj+/j58ndNfZRQv6P5BLppHADRPqwEOm4RQcQYskyM0FdKXbJ8E 5GW268meflfv2BASsl3X/Xqxp+LNrstXIbFZ+38hVlQDDmdvaASpPTzIAxf8FxMYZqI+K1UE kP5nU45q84KiZoXwT6YYJDKToLSDnYkKlsrCSnLkE3Nb/IexgNoYO4nE6lT9BDV3athQCWw1 FwB5idRYWnIqbVgUFgYZDUdZBJmeTEeI+Wn5hFz6HvFVc/+haMVTcoEKSkG/tsSGsKOc2mp6 z+71io9JWrVQGmw7OeZeE4TvkF9GhwS8jrKO4E0crfcT/zT6368PZCO6Wpir8+po/ZfOWbbh 1hi3MxmXn4Fki55Zrvhy3sf28U+H/nByQV4CssYv/xVhIZsN/wNQLcDLgVs4JTBUik8eQR0Y Qrq9lG3ZVtbpEi7ZTJ6BOGIn2TKHsVIVGSQA0PdKpKYV45Lc4QARAQABtCBudXNlbnUgPG51 c2VudS1saXN0c0ByaXNldXAubmV0PokCVAQTAQgAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIe AQIXgBYhBJaQzx+7tCmFlU3yu61hOMJFzUJ+BQJevydnBQkGspdiAAoJEK1hOMJFzUJ+oh4P /R+cSCszon9qrG2JaUSEaDVOTTJ8idR7Q2QEzumD9QCmvBxxZaSd/l53Koebm6Y6DQ3/bw3D +SSy6vwvpWBpBMBI0MGDvNLUUUgW8FlPxOXYkPItdvjbLYcEjYCyOOXB63b2OUx3KAdPScwI FIvm2QAwILQf2BwrNglWoDVH9HKBGp8nkQg2co08/HxkJ/19CkXpEa3CGCV7yo059bIJr7+S OLxKlLiyzDRK7dyIN/wL+ZJwBORzQ7F8JiHGzIK5XAMeDe4ehnLDd1AaTvTDPGlaUlrFxvQd FjPCZXVWH1QFCWLveZI2cCkPW2Nbv0FtuqWhSyFpNX+Fyo46JDw2VqIdNmLdm1lxYnxNBLzp aefgzU6yYyPy1u5mAjm5llqzNpNmxbVyGSeBRbxXiR7RmP2PKiiQds2OmXhMa/fcEc2l4i63 lEOquOfnBbTmw5p8fdTeE4aIgv6eVR1O1sL+ZWQaqxR8ssfYIehYoxzMkLwDPyWfjLEK2rg9 ujH+3rHAraHYggcDgvsPNRQ7tM0iLtFB+/g5GbPQsRutZR4oxTujwglp+4BdFZZQZmR2ONSk g/k01IMToD/mDWP9KQQ5qqAO+97rsBoJAES40JxEV6PtHA55kUglGYdLV39CV0Iq6B9OF7jC dezf7e+LVK9NHpmxkQ1cxGv1KE2ElLTBLHfFuQINBFj53gUBEADAlnpTtRPy4HVYJ8srcA5H VZr1vM4CCGVNHhZdscHhqNAobv8XO5331ufAPRXf8A5XP9JsYPId77scy93UDQuXg2DIfo6n FjvA7AJcBhMBtxcukzt4pOOOxv0D1cbcVwga+NzLvo6Rp7CqGIAFpKGVK0Rhw+RG6wdm55xe 0Kd8KMkqKFT+SKdakE72BjpKsXYoULBp5LivftutdD3Ly7LeBnXrxAW4hrkAp8vSvlg3eThK 01IDanln+m59Zcw3cHTdAL7d+Kt6LPd2KeUcrpeNRbyhZJ03EmF7FP+VTD56mKw25ZNCu7Ls 8P4d6iFgZeqOCCY9SJZzXvVJ7BvZ/wcIdWIcx57xBeqj8tJGRhWu2zHQdRIwqxVA6Zr+7YHL Te5yugiRAlBB+pfdikrWLcSlQ7YvT+YTxSkG9SbW+uy3ngQXKbi1g0lOP2t5V98UqHZxzOY9 U3mjy/dGt1MX3qYa1xv0QlsZXjbvtkQupSym+IQFfKepTfJnjwmEhYePbb+FrpN4GlqlhkM4 nyV4953wTfgn8ZgTZheXrkuGlcAq9bM7cqIHIYzKxv0uLrOpn38FhC2DkIDpDw6jukHEriKI MfcZfZa/KaYuho4Gk5ohh28qvf19qMSbN9uDtN1kpfGqnYoOtvDu9QksPKuY9anEfKEoci3O iLVjn3DNhKreHQARAQABiQI8BBgBCAAmAhsMFiEElpDPH7u0KYWVTfK7rWE4wkXNQn4FAl6/ J2sFCQayl2YACgkQrWE4wkXNQn5+RhAAkdSze4EXa+GHsdKqv+JSIgpflI0uT5SDxycGUyL2 p76AuHl7+P/tQK+4gzV0eRpdCuDfYI8BTDmaBXSA+acNofrhWtYC4VcgsxeqNjTzBJXCTgb+ /Y8ba0Z0ggDEfsH4TSOnt6yYLheVxy6OYddghg/woPnCiImz/Y7fhSiCRugG1N/+5euCevuy wWSmMLUuqGAxN9MHE2NUsWJMFdFRFT2jdFMusk+T+rwr2OB2bu7Vma0uweu2nG2lHB1QYUu5 llQXbkUPy9z5SUXvTWZQkMbeQigrAXpfO7Jov++TAelNAPY0hZQQ9Ou8wrLvZA7fLNB6Apgu Pdi2l9OkRMROsMNYuh0h2oQ6KCXx50HQ5sbaceFRkzk8g0KphPrLOsL2jZEk4nNdZxoL3nW9 2zWJfRbq8LfJktO4UP1MwIBrnoM9aj2ooBf8Vn0VKaacfJrd2iWjktDDOJigWIUEBCvJoxkF x5IFj8igcHVQgZumYqgg1FOF3vSozDAskASuqdb8Cv5mkfd+3KXYGEAHgW7hOJhJwBWwx0UC v+bXsPEQJsJ+atq5k4/Dox7sNdUxoaGSv3NmK+4uvmEdbIT/zGl1rTtHnfot8yEULF7Em2ia /qG+Sp2fbPeSxeHUqhLTu1jComXEZv59HnNhlcJeAxKFXoiAFCFV4XbKdVG2bKh434c=
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Sun, 24 May 2020 13:01:46 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1590339691; bh=lROp/OaTiJuEBgVc13qNrHTGy9rem9tvlzK/6xaFw00=; h=To:References:From:Subject:Date:In-Reply-To:From; b=XThzPaw3tsSwN/GRKC6Rb81rMMAE9v0eRQ3TGVQW8+fRVMCStSwPEZvuavOipTA7B kxGB8GPEEfYdON4aacgryVUoAqeAanTruCjr9D2gETPklPD9J/B6n5JGSy6yJvT1em HGIwyXrzhqjGOgVmeZtGQpFhajq5BPVPzfcpG7Qw=
- In-reply-to: <ec5a8c3514766eff328cd44756519e661da68353.camel@gmail.com>
- List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
- List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
- List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
- List-post: <mailto:tor-dev@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
- References: <2c459db33cb48d1ff9116f98e15ff6af7ca8dc1a.camel@gmail.com> <20200515152944.c2up4hxh3y76vizx@localhost> <5e3a3a2e-7d23-0976-a213-d55f25c1f2a5@riseup.net> <ec5a8c3514766eff328cd44756519e661da68353.camel@gmail.com>
- Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>
Christian Hofer:
> On Sat, 2020-05-16 at 01:37 +0200, nusenu wrote:
>> Alexander Færøy:
>>> I wonder if it would make more sense to have an onion-aware
>>> DNSSEC-enabled resolver *outside* of the Tor binary and have a way
>>> for
>>> Tor to query an external tool for DNS lookups.
>>
>> I'm also in favor of this approach,
>> and you can do this today with no code changes to tor at all.
>>
>> CF demonstrated it even before DoH/RFC8484 was finalized:
>> https://blog.cloudflare.com/welcome-hidden-resolver/
>>
>
> Do you have DNSSEC validation in this approach?
That is up to you. If you use a stub resolver that has DNSSEC support (like
stubby) you have DNSSEC validation.
>> + 1 for DoT and DoH over tor, especially due to the DoH
>> implementation that is
>> available in firefox (it would still require work on stream isolation
>> and caching
>> risks to ensure the usual first party isolation).
>> In terms of achieving a big improvement on tor browser users in the
>> context of DNS
>> this would be the most effective path to spend coding resources on in
>> my opinion.
>>
>>
>
> It seems that Firefox's DoH implementation does not employ DNSSEC
> validation, see [2]. They trust CF doing it for them. Be careful here.
I'm aware that firefox does not perform DNSSEC validation. I don't think
the tor project would enable DNSSEC in Tor Browser without a good use-case or a (future) TLS extensions solving
the latency issue. Since DANE for HTTPS does not appear to be a thing and there is no DANE support in firefox
I'm also wondering about the specific use-cases for DNSSEC in Tor Browser.
> Furthermore, there are privacy concerns about additional metadata
> regarding the use of DoH (agent headers,
solved since https://bugzilla.mozilla.org/show_bug.cgi?id=1543201
> language settings,
solved since https://bugzilla.mozilla.org/show_bug.cgi?id=1544724
> and cookies)
I don't think firefox sends cookies in DoH requests.
I'm still curious about the underlying threat model and use-cases (my first questions in this thread),
since that would help with trying to understand what you are trying to achieve.
kind regards,
nusenu
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev