On 7 feb 2012, at 22:08, Ondrej Mikle wrote:
> 1. full packet might leak identifying information about OS or resolver used,
> quoting Nick:
>> There are parts of a DNS packet that we wouldn't want
>> to have the Tor client make up. For example, DNS transaction IDs
>> would need to avoid collisions. Similarly, I don't see why the client
>> should be setting most of the possible flags.
>
> The query will work as if following was set: flags 0x110 (recursive,
> non-authenticated data ok), DO bit set. Is there any reason for setting some
> flags otherwise or make some optional?
If you bundle a full resolver (e.g. libunbound) with the TOR client, you will
be much better off doing full DNS packet transport, or you have to rewrite the
upstream forwarding code. I do about the potential fingerprinting issues (I'm
one of the people behind Net::DNS::Fingerprint), but in this case I believe we
can mitigate these issues (if considered important) by masking/rewriting some
DNS request fields within the TOR client and/or exit node.
jakob
_______________________________________________
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
