[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Support for full DNS resolution and DNSSEC validation



On Tue, 2020-06-09 at 23:54 +0200, nusenu wrote:
> > However, thinking about it, DNSSEC might be useful for caching DNS
> > records on the client side.
> 
> caching has privacy implications and is therefore a risk.
> 

So you are saying that caching is not an option in any case, right? Can
I kindly ask you to elaborate on this? You don't have to write a long
answer. A link pointing me to the answer would be more than enough. I
just want to understand the reason behind this.

> > > My vision for DNS privacy in Tor Browser: 
> > > Be able to visit a HTTPS website without the exit relay learning
> > > what
> > > domain it was 
> > > (encrypted DNS + encrypted SNI)
> > > 
> > 
> > Makes sense. Which nameserver are you planning to use, since the
> > used
> > provider will get all Tor Browser DNS queries? Do you (the Tor
> > project)
> > plan to host your own DNS resolver(s)?
> 
> based on statements from Roger about what is the max. acceptable size
> of
> a single exit operator in terms of fraction of the network I'd assume
> that it
> is somewhat ok to use a single resolver operator for about 5% of the
> total exit traffic.
> That means we need at least 20 resolver operators, preferably 30.
> We could come up with requirements for them (Mozilla's DoH resolver
> requirements is a start)
> and make use of public privacy  aware DNS resolver operators that
> meet the requirements.
> It might also be possible to ask well established exit operators to
> run DoH endpoints 
> on their resolvers. This would have positive performance implications
> and increase the number
> of available DoH servers.
> 
> but finding resolvers is probably one of the smaller issues when
> compared to getting
> everything implemented in firefox/tor browser. Current versions do
> not even allow 
> to set more than one resolver URL.
> 

I see. Are there any tickets or design proposals I can contribute to?

Since you have no comments on my suggestion for an alternative
approach, I assume that it is not worth to compare it to DoH, right? 

> kind regards,
> nusenu
> 

BR
Christian

> _______________________________________________
> tor-dev mailing list
> tor-dev@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev