[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TAILS uses one DNS server from OpenDNS WARNING

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] TAILS uses one DNS server from OpenDNS **WARNING **
From: Michael Wolf <mikewolf53@xxxxxxxxx>
Date: Sun, 27 Oct 2013 23:06:40 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 27 Oct 2013 23:11:23 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:openpgp:content-type; bh=s91dcopXuSU1lmCVHYVWvToiXEzaFl/OfEGW8yMjrQw=; b=reu9RMn6uHGvXJ8Utu8MxqDVOMKHqSEtZpP/qQqqMVplXBnkVD28zAlDDT13fbDcQ/ 5NUePz2AOIQviXPAfBx47aw5Yf9Urak/W+Yj7jfnU7P3FrFeeht1Kh+VuiEXqNoN36WD mgwpIceESaV8pQYBq1I9ETPTWfC3EFHUOE4xhzc1ZoQl83MlyL1feoWATLBEX/Y/83Sk wxozvr7CVgN+H2xnUhGJVnGlhHLaJa8UZC3C8YSECjRt8iHwJ5TgectTKZ1PgqSP7OqY ZG2Id7xF9ralX0LCqPqLDiLhxxX95g+K+YQ4tweBFCcyUjKC/Uo12vCFVycmoK/5dUHB BpIw==
In-reply-to: <1382897195.15396.1.camel@anglachel>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Openpgp: id=EC564FE1
References: <N1B-Ec1V5SKbEa@xxxxxxxxxxxxx> <526CC3BD.5060505@xxxxxxxxx> <1382897195.15396.1.camel@anglachel>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.0.1

On 10/27/2013 2:06 PM, Ted Smith wrote:
> On Sun, 2013-10-27 at 03:41 -0400, Michael Wolf wrote:
>> On 10/27/2013 12:15 AM, communicationsystem@xxxxxxxxxxxxx wrote:
>>> Tails uses one DNS server from OpenDNS.
>>>      
>>> What prevents a malicious party from signing up exit nodes at OpenDNS and logging traffic, blocking content, and/or redirecting traffic?
>>
>> Assuming the malicious party runs the exit node, what prevents them from
>> doing any of these things anyway?
> 
> OpenDNS authenticates by IP, so anyone using the exit node can change
> the OpenDNS settings if the exit node operator hasn't made an account. 
> 
> The exit node operator can do all of those things, but anyone using Tor
> can do them with OpenDNS.
> 

But, unless something has changed, Tor doesn't use the local client's
DNS resolvers, the exit node uses its own resolvers:

https://lists.torproject.org/pipermail/tor-talk/2010-July/010095.html

"Section 6.2 of the tor-spec.txt[5] outlines the method for connecting
to a specific host by name. Specifically, the Tor client creates a
RELAY_BEGIN cell that includes the DNS host name. This is transported
to the edge of a given circuit. The exit node at the end of the circuit
does all of the heavy lifting, it performs the name resolution directly
with the exit node's system resolver.

If all goes well, the exit node will respond with a RELAY_CONNECTED
cell. If successful the payload of this cell will include the IPv4
address for the host name. In theory, it may include an IPv6 address."

Once upon a time, Tails used ttdnsd for resolving DNS, which would have
used ttdnsd's resolvers.  This changed as of Tails 0.13

https://tails.boum.org/contribute/design/Tor_enforcement/DNS/ttdnsd_broken/

That last document explains that ttdnsd is still installed, configured,
and running, but it is not part of the 'normal DNS resolution loop'.  It
also mentions why OpenDNS was chosen (Google's DNS server started
blocking connections from Tor).

If it is actually possible for an anonymous user to set up an OpenDNS
account on behalf of an exit relay, the warning here should be that exit
relays should never use OpenDNS (unless they preemptively set up an
account).  Except in rare cases, the client's settings do not matter.

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] TAILS uses one DNS server from OpenDNS **WARNING **
  - From: communicationsystem
- Re: [tor-talk] TAILS uses one DNS server from OpenDNS **WARNING **
  - From: Michael Wolf
- Re: [tor-talk] TAILS uses one DNS server from OpenDNS **WARNING **
  - From: Ted Smith

Prev by Author: Re: [tor-talk] TAILS uses one DNS server from OpenDNS **WARNING **
Next by Author: Re: [tor-talk] Thoughts on Tor-based social networking?
Previous by thread: Re: [tor-talk] TAILS uses one DNS server from OpenDNS **WARNING **
Next by thread: Re: [tor-talk] TAILS uses one DNS server from OpenDNS **WARNING **
Index(es):
- Author
- Thread

Re: [tor-talk] TAILS uses one DNS server from OpenDNS **WARNING **

Re: [tor-talk] TAILS uses one DNS server from OpenDNS WARNING