[tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
Ondrej Mikle
ondrej.mikle at gmail.com
Wed Feb 1 01:26:53 UTC 2012
On 01/31/2012 09:35 PM, Roger Dingledine wrote:
>
> I totally agree that writing our own dnssec code would be absurd.
>
> But I'm confused here about why we're adding dns support to Tor itself.
> Are we doing it to be able to proxy more requests from applications to
> dns servers? Or are we doing it because the Tor client itself wants to
> be able to learn the answers to dnssec questions?
>
> If it's the former, then we should try as much as we can to *not* learn
> the details of the protocol. After all, Tor doesn't have an ssh protocol
> parser or validator, but it can proxy ssh traffic just fine.
This question comes up very often when dnssec is considered: where should it be
implemented? At client program? A daemon in OS? A server on a network of an ISP?
There is never an unanimous agreement, dnssec just seems to "not exactly fit
anywhere" (it's not a transport protocol and it's not really an application
protocol; it's just at the same level as DNS).
I thought a bit about (dis)advantages of each, some key points:
1. open DNS resolver listening on TCP somewhere
+ works with current Tor implementation
- there is potential loss of anonymity - there are not many open resolvers and
the issue with transaction IDs was already mentioned
- bit worse performance (creating multiple connections when validating on
client's side)
2. unbound running locally on OR (as exit-enclave)
+ requires only change in packaging
- more code needs to be reviewed compared to libunbound (more code => higher
chance of bug)
- multiple connections when validating
3. libunbound in Tor
+ less code to review than complete unbound
- implementation is more complex
Ondrej
More information about the tor-dev
mailing list