[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] DNSSEC validation over Tor with unbound&socat (Linux alpha howto)

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] DNSSEC validation over Tor with unbound&socat (Linux alpha howto)
From: Ondrej Mikle <ondrej.mikle@xxxxxxxxx>
Date: Sat, 14 Jan 2012 07:44:14 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 14 Jan 2012 01:44:35 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=82zaxIbxaEMFw2AD2S4Jcq+UOVupDYx+tJQ3J3Hyn+I=; b=atMHlH7/70spLv74iuI+oh6g5MTyk9HI5yTjG99HvIy/CgFK17BHN6JV69ECJUfhry nPSIgP4JwQiPrWT9LfBTxY/6QJjpuepY2HFCu0sjyao5R6YzDMv46YCtTHPmlDTyPh3n X54KxrOsW+pFLAO/SlaRpv7ncZEtwT/8cQ0+o=
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1

Hi,

after a reviewer wrote on addons.mozilla.org that DNSSEC Validator add-on leaksDNS (because it does direct queries), I've been looking how to hack around SOCKSand Tor resolver deficiencies.

I've tried ttdnsd first, but it did not get along well with unbound (unbound wascomplaining about bad packets). After trying couple other tunneling tools,finally socat did the trick.


Here's the howto:

https://labs.nic.cz/page/993/dnssec-validation-over-tor--linux-/

Unfortunately, the original objective of fixing DNSSEC Validator add-on to notleak DNS queries did not 100% succeed. Firefox has"@mozilla.org/network/dns-service;1" API which will leak DNS even if"network.proxy.socks_remote_dns" is set to true.

If I understand it correctly, it's because in SOCKS5 protocol one can specifyFQDN of host to connect to, but can't perform the "simple DNS query" itself.Thus there is no way to fix the FF API (short of setting torified resolver in/etc/resolv.conf or some LD_PRELOAD hacks to use torified resolver).

DNSSEC Validator add-on needs the mentioned dns-service FF API to check if IPsseen by FF are the same as IPs in signed/validated response.

I've noticed FireFTP and FireSSH devs fixed some (similar?) DNS-leak issues.I've checked their git repos in case I could use their fixes, but the fixes seemnot to have been pushed out publicly yet.

So if anyone has an idea how to work around the dns-service API, that would begreat.



Ondrej
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Prev by Author: Re: [tor-talk] (solved) "Invalid Server Certificate" accessing torproject.org on Chrome/Windows
Next by Author: Re: [tor-talk] How to install tor in Linux just as secure as tor-browser-bundle ?
Previous by thread: Re: [tor-talk] How to make 100.000 bridge?
Next by thread: [tor-talk] SOPA will be discussed in Congress Jan, 18
Index(es):
- Author
- Thread