[tor-dev] Support for full DNS resolution and DNSSEC validation

nusenu nusenu-lists at riseup.net
Sun Jun 14 18:16:49 UTC 2020


Christian Hofer:
> On Tue, 2020-06-09 at 23:54 +0200, nusenu wrote:
>>> However, thinking about it, DNSSEC might be useful for caching DNS
>>> records on the client side.
>>
>> caching has privacy implications and is therefore a risk.
>>
> 
> So you are saying that caching is not an option in any case, right? Can
> I kindly ask you to elaborate on this? You don't have to write a long
> answer. A link pointing me to the answer would be more than enough. I
> just want to understand the reason behind this.

You can use cache but it must address the linkability risk by scoping the cache usage.
With DoH the browser has access to TTL values from DNS records, so caching is
somewhat easier for the browser as it used to be.

keywords and pointers:
unlinkability 
first party isolation
https://www.torproject.org/projects/torbrowser/design/


>> but finding resolvers is probably one of the smaller issues when
>> compared to getting
>> everything implemented in firefox/tor browser. Current versions do
>> not even allow 
>> to set more than one resolver URL.
>>
> 
> I see. Are there any tickets or design proposals I can contribute to?

I haven't put my ideas into a specification yet, but it looks like there is a good reason to
write a spec now.

A next step - before anything else - could be to ask Tor Browser people if there are any DoH plans yet,
I did so back in 2018 and will follow up on that right after this email.

> Since you have no comments on my suggestion for an alternative
> approach, I assume that it is not worth to compare it to DoH, right? 

to quote my vision:
> My vision for DNS privacy in Tor Browser: 
> Be able to visit a HTTPS website without the exit relay learning what domain it was 
> (encrypted DNS + encrypted SNI)

This vision somewhat implies the use of DoH, since Firefox requires DoH for ESNI (unless
one wants to implement that in an additional Firefox patch). 
A second good reason for DoH over some other option: DoH is a specified protocol with public implementations
and public services/service providers. This helps with resolver diversity, availability 
and gives us more options when choosing resolvers.

kind regards,
nusenu

-- 
https://mastodon.social/@nusenu

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20200614/3d2db44e/attachment.sig>


More information about the tor-dev mailing list