[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] unbound, ttdnsd and DNSPort config


Anders Sundman wrote (06 Jun 2011 14:24:12 GMT) :
> Used individually, the addr directives work fine and resolve using
> their respective mechanism. Used together, it looks like ttdnsd
> never gets a chance after tor has failed (e.g. when resolving a SRV
> or MX record).

> Any ideas?

I've just had a look, by attempting to implement the same in Tails
(i.e. query first the Tor resolver, and fallback to ttdnsd in case the
former is not able to answer the query) as we planned to do for quite
some time. I've seen the same results as you have, using the DNS
frontend caching proxy Tails already ships (pdnsd) instead of unbound.

A few dig commands learned me that the Tor resolver sends an empty
reply (status: NOERROR, QUERY: 1, ANSWER: 0) rather than an error when
it does not support the type of the query (e.g. MX). The obvious
consequence of it is: the caching frontend DNS proxy (be it unbound,
pdnsd or whatever) has thus no way to know it should fallback to
ttdnsd in such a case, and it actually never does so, which confirms
what you've observed in the first place.

=> In the current state of the Tor DNS resolver, we're forced to use
ttdnsd by default, and only use the Tor resolver for .onion/.exit...
unless I missed something.

So I'm curious what the rationale for the "empty reply" behavior is.
Any ideas?

  intrigeri <intrigeri@xxxxxxxx>
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
  | Then we'll come from the shadows.
tor-talk mailing list