[tor-dev] GSoC: Support all kinds of DNS queries

Jeremy Rand jeremyrand at airmail.cc
Sun Apr 2 03:22:58 UTC 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Daniel Achleitner:
> Hi everyone,
> 
> I'm a Software Engineering master's student at TU Wien, Austria, 
> with a recent focus on computer security and privacy issues. I am 
> interested in participating in GSoC 2017, particularily in the
> task to support all kinds of DNS queries via Tor [1].
> 
> I've seen the mailing list discussions of 2012 and read the 
> resulting proposition 219 [2]. What do you think, which parts of
> it (if any) would need to be adapted for DNS in 2017? My current 
> impression is that not much has changed, particularily regarding 
> DNSSEC support and deployment.
> 
> As of now, the proposal looks fairly complete with few questions 
> remaining, the biggest research task being how to utilize 
> libunbound for query/response parsing and construction. 
> Implementing the RELAY DNS cells then seems fairly
> straightforward. Unit/integration tests and some fuzzing would be a
> good idea. The problem of reducing DNSSEC roundtrips
> (serialization) to be investigated in a later phase, I would say.
> 
> Is a separate AXFR tool still something that is desired? I have no
>  experience with zone transfers -- can't the existing tooling just 
> be used over a normal TCP conn through Tor?
> 
> This project idea would make a good match to my thesis in
> progress, for which I am researching and evaluating
> privacy-improving DNS tools in the context of Tor (DNSCrypt,
> DNS-over-TLS) [3], inspired by the awesome paper on DNS correlation
> [4]. For example, I recently built a SOCKS-to-SOCKS translator
> which allows to resolve hostnames using a resolver of choice, e.g.
> using DNSCrypt with TBB.
> 
> Looking forward to hearing your thoughts, concerns and opinions!
> 
> Best regards, Daniel
> 
> IRC handle on OFTC: idealchain

(Thinking out loud.)  It would be interesting to have some kind of
algorithm agility here.  For example, a Tor client could send a
request for a Namecoin domain name, and the exit relay would return a
Namecoin merkle proof in the same way that it would return a DNSSEC
signature if were a DNS doman name.

Cheers,
- -- 
- -Jeremy Rand
Lead Application Engineer at Namecoin
Mobile email: jeremyrandmobile at airmail.cc
Mobile PGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C
Send non-security-critical things to my Mobile with PGP.
Please don't send me unencrypted messages.
My business email jeremy at veclabs.net is having technical issues at the
moment.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJY4G6EAAoJELPy0WV4bWVw2UMQAKEbpa5u0zHHHAYrZS5huMcM
LsCmd5o1q5fQXzVyncWiYVasYUUQHcMp7SygqLJK6mCNgvDgytYGQ6S9qbt/xnqO
aPxIBBM0zYEnmn2QMg35AxjV8P9uc0TuAHpfA03shlD8adgRqSsUocYjeI2fa0P4
ZxggtLhPXrk3CHJqfKL1gwr/+fSFTS7MrXc9HnnmwCUaB3h+5tggMjEXeQxjsfES
mdgL/Y9ecQD+k+dxtuWoTFrqoOLE1Asa8Ve1dGo4hUSyD6MkPKnjj2wQKAditj+w
zXB1ETd0ZQEKX/mguZXff9596AJklDRsU+HTKplNJsyh/nkqpL05PKeaaQerSynf
5bgc2Z4U4eHenMvnh4QGq+Ce9xuS+8moSfU218GLilJz1jz2K5P9YxLG2KFl3Bhu
O99merBZbBxgGpism/C/Ae9GgtH20pvgKeN/rgy+80DbowF5e+m+9qH/DXoKArIu
+u1LYHM4dT02VHONy2y31RS8maWebsm6tWQ4ciit2vRg2dukzzDmQQt/Wj6L2pal
4o24cp6CsIU/kifb/gEYYE5id4mbr1u580jXFvMeTrWRMvRp1o6uxFaaV4GtY1OG
VTCuQuuuEXysA8I0+SYpVnAyM6zoq/mJkZGhl/doRgMdn7RA5XEJHrxsE5z8PYTE
vl/kcBsLKuO6EKxJ8TAt
=Ctku
-----END PGP SIGNATURE-----


More information about the tor-dev mailing list