Alexander Færøy: > I wonder if it would make more sense to have an onion-aware > DNSSEC-enabled resolver *outside* of the Tor binary and have a way for > Tor to query an external tool for DNS lookups. Such tool should be > allowed to use Tor itself for transport of the actual queries. One of > the best parts of Tor (in my opinion) is the Pluggable Transport > subsystem. This subsystem allows external developers, researchers, and > hackers to build new technology that benefits users in censored areas > *without* having to alter a single line of C code in tor.git. > > Let's say we had a "Pluggable DNS" layer in Tor. Users would be able to > configure their Tor process to *never* use the built-in DNS subsystem in > Tor, but instead outsource it to an external process that Tor spawns on > startup. This process could use .onion's to reach a > DNS-over-(TLS|HTTPS|TCP) server as onions themselves aren't looked up > via DNS. > > A "Pluggable DNS" subsystem would be much less code, I believe, and it > wouldn't require us to have a DNS+DNSSEC implementation in the heart of > Tor to maintain in the future. Such a system would be similar to the > proposed design for Name => Onion lookups defined in proposal #279 by > asn, yawning, and dgoulet. Hi Alex, FYI I already wrote a Prop279 provider that looks up the names via DNS (it's aptly named "dns-prop279"); it does pretty much exactly what you describe. It doesn't handle DNSSEC validation itself (it assumes that you've specified a DNS server that you trust -- most likely one running on localhost). Stream isolation can be handled via an EDNS0 field (and I'm guessing it would not be difficult to patch an existing DNS server to respect that EDNS0 field). I wouldn't be surprised if it's easy to make dns-prop279 do DNSSEC validation itself (and not use a localhost-based DNS server) if that's desired -- the library it uses (miekg/dns) does claim to support DNSSEC validation, though I've never tried testing that feature. I originally wrote dns-prop279 for Namecoin purposes, but I see no reason it couldn't be used to achieve DNSSEC support in Tor. If there's interest in pursuing this, let me know, I'm happy to contribute. Code is at https://github.com/namecoin/dns-prop279 Cheers, -- -Jeremy Rand Lead Application Engineer at Namecoin Mobile email: jeremyrandmobile@xxxxxxxxxx Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C Send non-security-critical things to my Mobile with OpenPGP. Please don't send me unencrypted messages. My business email jeremy@xxxxxxxxxxx is having technical issues at the moment.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev