[tor-dev] Support for full DNS resolution and DNSSEC validation

nusenu nusenu-lists at riseup.net
Tue Jun 9 21:54:55 UTC 2020


> However, thinking about it, DNSSEC might be useful for caching DNS
> records on the client side.

caching has privacy implications and is therefore a risk.

>> My vision for DNS privacy in Tor Browser: 
>> Be able to visit a HTTPS website without the exit relay learning what
>> domain it was 
>> (encrypted DNS + encrypted SNI)
>>
> 
> Makes sense. Which nameserver are you planning to use, since the used
> provider will get all Tor Browser DNS queries? Do you (the Tor project)
> plan to host your own DNS resolver(s)?

based on statements from Roger about what is the max. acceptable size of
a single exit operator in terms of fraction of the network I'd assume that it
is somewhat ok to use a single resolver operator for about 5% of the total exit traffic.
That means we need at least 20 resolver operators, preferably 30.
We could come up with requirements for them (Mozilla's DoH resolver requirements is a start)
and make use of public privacy  aware DNS resolver operators that meet the requirements.
It might also be possible to ask well established exit operators to run DoH endpoints 
on their resolvers. This would have positive performance implications and increase the number
of available DoH servers.

but finding resolvers is probably one of the smaller issues when compared to getting
everything implemented in firefox/tor browser. Current versions do not even allow 
to set more than one resolver URL.

kind regards,
nusenu

-- 
https://mastodon.social/@nusenu

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20200609/82e4e2e0/attachment.sig>


More information about the tor-dev mailing list