[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor and DNS attacks

Yes, tor ships with the keys for the main authorities - so long as
your tor distribution is verified, those keys are correct and you will
verify the authorities (which are the most important part). Beyond
that, the consensus system works to verify every other key by checking
that a majority of sources will return the same answer (i.e. the same
descriptor for a node).

That said, cache poisoning is still an issue for relayed
communications and all sorts of other things on the machine (including
getting the tor binaries themselves.. this is what gpg is for :P), so
I agree that it is very important for operators to ensure that they
are protected against these attacks.

  - John Brooks

On Thu, Nov 13, 2008 at 12:37 PM, Sven Anderson <sven@xxxxxxxxxxx> wrote:
> Hi,
> I just wondered if Tor might be vulnerable to DNS attacks during the
> bootstrapping phase? Is there a public key of a directory server included in
> all the Tor download packages to secure the initial contact to the directory
> servers?
> I also want to emphasize again that everybody, but especially Tor node
> operators, should check that he/she is not vulnerable to DNS cache
> poisoning, for example by visiting this website:
> http://member.dnsstuff.com/tools/vu800113.php
> or by querying the TXT record of the domain porttest.dns-oarc.net with a
> command like 'host -t TXT porttest.dns-oarc.net'.
> Sven