[tor-bugs] #28955 [Applications/Orbot]: should Orbot include DNS forwarder backed by DNS-over-TLS
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jan 1 01:56:29 UTC 2019
#28955: should Orbot include DNS forwarder backed by DNS-over-TLS
--------------------------------+-----------------------
Reporter: eighthave | Owner: n8fr8
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Orbot | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------+-----------------------
Comment (by pege):
This is probably something that should be supported by Tor itself rather
than Orbot since it affects anything using Tor, not just Orbot and
applications that use it to connect to the Tor network.
I'm generally in favor but there a few things to consider:
* This is going to increase latency. Tor supports specifying a DNS as
target in SOCKS5 in which case the exit node does a DNS lookup (lower
latency). Also, it allows sending data before the DNS name is resolved,
decreasing latency again, but only if DNS resolution is made remotely. If
DNS over TLS is used, this won't be possible without another request to
the DNS server first. Exits doing a lookup, without them learning the DNS
name is probably not possible.
* Tor Browser and all other application using TLS still leak that
information without [https://blog.cloudflare.com/esni/ ESNI] being enabled
browser and server-side (not in Firefox stable AFAIK).
* There need to be enough independent services offering DNS-over-TLS to
make sure blocking of Tor exit nodes by a single or a few provider won't
break Tor.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28955#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list