[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] dnsmasq configuration for an exit relay (Debian)



Unless configured otherwise, Dnsmasq chooses a server from the list
randomly, so the more servers the operator specifies in dnsmasq.conf,
the less traffic each server gets. This increases the diversity of DNS
requests, complicating traffic analysis for any adversary that
controls some, but not all, links between the host and the DNS
servers.

With a large-enough cache and sufficient uptime dnsmasq effectively
becomes a mini-DNS server that stores IP addresses for the vast
majority of sites that Tor users ever visit. With little to no
outgoing DNS traffic from the host, DNS-assisted correlation
("DefecTor") becomes impractical for anyone, including the hosting
provider. Combined with very low resource utilization of dnsmasq,
running it on an Exit node improves anonymity for the majority of Tor
users at almost zero cost. The only scenario where a cache does not
help is resolving rare hostnames that nobody has visited yet, but even
in this case, with multiple upstream DNS servers only an adversary
controlling the AS is guaranteed to intercept the request.

I have not seen any research papers that would indicate that the cost
of running a full DNS server on an Exit relay is worthwhile and that
it improves anonymity substantially more compared to a lightweight
cache resolver. If you know of any, please share, and I'll be happy to
change my mind.

- Igor

On Sun, Oct 8, 2017 at 1:03 AM, Ralph Seichter <m16+tor@xxxxxxxxxxxxxxx> wrote:
> On 08.10.17 09:47, Toralf Förster wrote:
>
>> IMO there's absolutely no advantage of using external DNS servers.
>
> "No advantage" is putting it too mildly. Manually specifying upstream
> servers runs contrary to the very reason to have a resolver on the Tor
> node in the first place, which is to only involve the necessary minimum
> set of servers for each query.
>
> -Ralph
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays