* on the Mon, Sep 01, 2014 at 10:56:30AM -0700, merc1984@xxxxxx wrote: > Lol, first of all Copernicus, I have made no posts in that stackexchange > thread. I do have the same concern though, as it is legitimate. > Second, I believe all the answers there are wrong because an exit node > could not resolve .onion addresses by the time a query gets there. > > I suspect that TOR DNS is TCP, and that relays can also resolve. But > then, so far it seems that no one actually knows. The exit nodes do the DNS requests. The client doesn't see an IP address. It connects to the Tor SOCKS interface and says, "connect me to hostname example.com on port N". It doesn't look up the IP address of "example.com" and *then* connect to it. Hidden services don't have IP addresses and DNS resolution isn't involved in routing connections to them. There is an exception to this. You *can* use the DNSPort option in your torrc and then your Tor client will expose a DNS server interface on a local UDP port of your choice. Your DNS requests which are sent to this interface are then forwarded over Tor to the Exit node which then looks them up on your behalf. It only works for A, AAAA and PTR records at the moment IIRC. The vast majority of Tor users will not make any DNS requests over the Tor network. If you don't understand this, read up on how SOCKS works. > To those whose skirts I've blown up about DNSSEC, you must not > understand that what we have now is very susceptible to DNS Cache > Poisoning. I am a fan of DNSSEC and use it on my own domains. However, it wouldn't help on Tor as much as you think it would: If you're visiting a non-SSL website, the web traffic can still be viewed and modified by a malicious exit node regardless of if DNSSEC is in use, so DNSSEC doesn't gain us anything here... And if you're visiting an SSL secured website, a malicious exit node can't view/modify your traffic without triggering certificate alerts anyway regardless of the existence of DNSSEC. And on top of this, they can route your traffic to whatever IP they want. So even if you get a DNSSEC signed response telling you to connect to IP address "a.b.c.d", they can still re-route your attempt to connect to "a.b.c.d" to whatever IP they want. > This is a serious problem. And if you don't take this > seriously, either you clearly do not understand the problem, or you are > not telling us why it is not a problem. Which problems will DNSSEC solve for Tor users? > IDC if the solution is DNSSEC, DNSCurve, or Waltzing with DNS, but I say > this is a serious problem that must be addressed. DNSSEC and DNSCurve are completely different solutions for completely different problems and can be used independently or at the same time. I don't think you've effectively said what the problem which you want addressing actually is. -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev