[tor-dev] Support for full DNS resolution and DNSSEC validation
Christian Hofer
chrisss404 at gmail.com
Sun Jun 14 16:03:16 UTC 2020
On Tue, 2020-06-09 at 23:54 +0200, nusenu wrote:
> > However, thinking about it, DNSSEC might be useful for caching DNS
> > records on the client side.
>
> caching has privacy implications and is therefore a risk.
>
So you are saying that caching is not an option in any case, right? Can
I kindly ask you to elaborate on this? You don't have to write a long
answer. A link pointing me to the answer would be more than enough. I
just want to understand the reason behind this.
> > > My vision for DNS privacy in Tor Browser:
> > > Be able to visit a HTTPS website without the exit relay learning
> > > what
> > > domain it was
> > > (encrypted DNS + encrypted SNI)
> > >
> >
> > Makes sense. Which nameserver are you planning to use, since the
> > used
> > provider will get all Tor Browser DNS queries? Do you (the Tor
> > project)
> > plan to host your own DNS resolver(s)?
>
> based on statements from Roger about what is the max. acceptable size
> of
> a single exit operator in terms of fraction of the network I'd assume
> that it
> is somewhat ok to use a single resolver operator for about 5% of the
> total exit traffic.
> That means we need at least 20 resolver operators, preferably 30.
> We could come up with requirements for them (Mozilla's DoH resolver
> requirements is a start)
> and make use of public privacy aware DNS resolver operators that
> meet the requirements.
> It might also be possible to ask well established exit operators to
> run DoH endpoints
> on their resolvers. This would have positive performance implications
> and increase the number
> of available DoH servers.
>
> but finding resolvers is probably one of the smaller issues when
> compared to getting
> everything implemented in firefox/tor browser. Current versions do
> not even allow
> to set more than one resolver URL.
>
I see. Are there any tickets or design proposals I can contribute to?
Since you have no comments on my suggestion for an alternative
approach, I assume that it is not worth to compare it to DoH, right?
> kind regards,
> nusenu
>
BR
Christian
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
More information about the tor-dev
mailing list