[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TAILS uses one DNS server from OpenDNS **WARNING **



On 10/27/2013 2:06 PM, Ted Smith wrote:
> On Sun, 2013-10-27 at 03:41 -0400, Michael Wolf wrote:
>> On 10/27/2013 12:15 AM, communicationsystem@xxxxxxxxxxxxx wrote:
>>> Tails uses one DNS server from OpenDNS.
>>>      
>>> What prevents a malicious party from signing up exit nodes at OpenDNS and logging traffic, blocking content, and/or redirecting traffic?
>>
>> Assuming the malicious party runs the exit node, what prevents them from
>> doing any of these things anyway?
> 
> OpenDNS authenticates by IP, so anyone using the exit node can change
> the OpenDNS settings if the exit node operator hasn't made an account. 
> 
> The exit node operator can do all of those things, but anyone using Tor
> can do them with OpenDNS.
> 

But, unless something has changed, Tor doesn't use the local client's
DNS resolvers, the exit node uses its own resolvers:

https://lists.torproject.org/pipermail/tor-talk/2010-July/010095.html

"Section 6.2 of the tor-spec.txt[5] outlines the method for connecting
to a specific host by name. Specifically, the Tor client creates a
RELAY_BEGIN cell that includes the DNS host name. This is transported
to the edge of a given circuit. The exit node at the end of the circuit
does all of the heavy lifting, it performs the name resolution directly
with the exit node's system resolver.

If all goes well, the exit node will respond with a RELAY_CONNECTED
cell. If successful the payload of this cell will include the IPv4
address for the host name. In theory, it may include an IPv6 address."

Once upon a time, Tails used ttdnsd for resolving DNS, which would have
used ttdnsd's resolvers.  This changed as of Tails 0.13

https://tails.boum.org/contribute/design/Tor_enforcement/DNS/ttdnsd_broken/

That last document explains that ttdnsd is still installed, configured,
and running, but it is not part of the 'normal DNS resolution loop'.  It
also mentions why OpenDNS was chosen (Google's DNS server started
blocking connections from Tor).

If it is actually possible for an anonymous user to set up an OpenDNS
account on behalf of an exit relay, the warning here should be that exit
relays should never use OpenDNS (unless they preemptively set up an
account).  Except in rare cases, the client's settings do not matter.




Attachment: signature.asc
Description: OpenPGP digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk