[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Exit enclaves and FQDNs

On Wed, Sep 26, 2007 at 01:17:34AM -0400, Gregory Maxwell wrote:
> I'm working on setting up a number of nodes as exit enclaves. If I use
> a normal socks4 client (resulting in local DNS resolution) it works
> exactly as I would expect: All traffic to the exit host uses the exit
> host local tor node.

Right. But you don't really want to use your local DNS servers for
queries, because that's really bad for your anonymity.

But notice the new DNSPort feature -- if somebody figures out how to
bundle/configure it conveniently, it might grow in popularity a lot,
and it may do what you want:

> If instead I use a client with privoxy and sock4a with DNS resolution
> performed via tor I find that the *first* request to the FQDN of my
> exit host uses some random exit. After that my tor client appears to
> have cached the result and all further http accesses are via the local
> exit.

Exactly so.

For those following along at home, you can read more about the "enclave"
design at

> Because this first request doesn't use the exit enclave it
> reintroduces in a loss of end-to-end encryption and risk of malicious
> exits. While one connection isn't so bad... for http a malicious exit
> could respond with a redirect to a proxy they control.
> Am I missing some aspect of the configuration which removes this vulnerability?

Alas, that's about right. It was the best compromise I could come up with:
we didn't want to always do a round-trip first just in case it matched
an enclave -- and in any case, even if we did, the vulnerability you
mention where the first guy you pick lies to you would remain.

Do you know of any decentralized secure cheat-proof way of turning
FQDN's into IP addresses? Sounds like we want DNSSec or whatever the
latest craze is called.