[tor-relays] dnsmasq configuration for an exit relay (Debian)
Ralph Seichter
m16+tor at monksofcool.net
Sun Oct 8 20:24:52 UTC 2017
On 08.10.17 21:40, jpmvtd261 at laposte.net wrote:
> Disclaimer : this is a (too) big email.
Seriously? Can you really not answer to individual messages? ;-)
> it is not necessarily better to ask directly to a root name server.
Yes it is; for uncached lookups, one of the root zone servers must be
involved anyway. As of today, that will be one of thirteen servers, and
I'd be extremely surprised if an attacker could monitor them all.
> who is aware of the query is not all that matters ; the apparent
> origin of the query also matters, depending of the position of the
> attacker.
Sure, but keep in mind: Even if an attacker could gain access to all
root zone servers, he could not see the necessary follow-up queries on
TLD level (e.g. country domains, or .com, .net, etc.) and beyond. If I
looked up host.somedomain.fr, a root zone snoop might show my interest
in a French domain, but nothing else.
> If the attacker can listen the traffic between the exit node and the
> upstream resolver, I don't think contacting the upstream resolver
> directly is better than contacting it indirectly.
So what? If the attacker can hack your ISP's infrastructure to listen
in, this whole discussion is academic. Otherwise, "the upstream
resolver" varies with each individual query, unless one configures the
upstream servers manually. Hence, leaving the local resolver to freely
choose upstream servers is preferable.
-Ralph
More information about the tor-relays
mailing list