On Sun, 2020-05-24 at 19:01 +0200, nusenu wrote: > Christian Hofer: > > On Sat, 2020-05-16 at 01:37 +0200, nusenu wrote: > > > Alexander Færøy: > > > > I wonder if it would make more sense to have an onion-aware > > > > DNSSEC-enabled resolver *outside* of the Tor binary and have a > > > > way > > > > for > > > > Tor to query an external tool for DNS lookups. > > > > > > I'm also in favor of this approach, > > > and you can do this today with no code changes to tor at all. > > > > > > CF demonstrated it even before DoH/RFC8484 was finalized: > > > https://blog.cloudflare.com/welcome-hidden-resolver/ > > > > > > > Do you have DNSSEC validation in this approach? > > That is up to you. If you use a stub resolver that has DNSSEC support > (like > stubby) you have DNSSEC validation. > > > > > + 1 for DoT and DoH over tor, especially due to the DoH > > > implementation that is > > > available in firefox (it would still require work on stream > > > isolation > > > and caching > > > risks to ensure the usual first party isolation). > > > In terms of achieving a big improvement on tor browser users in > > > the > > > context of DNS > > > this would be the most effective path to spend coding resources > > > on in > > > my opinion. > > > > > > > > > > It seems that Firefox's DoH implementation does not employ DNSSEC > > validation, see [2]. They trust CF doing it for them. Be careful > > here. > > I'm aware that firefox does not perform DNSSEC validation. I don't > think > the tor project would enable DNSSEC in Tor Browser without a good > use-case or a (future) TLS extensions solving > the latency issue. Since DANE for HTTPS does not appear to be a thing > and there is no DANE support in firefox > I'm also wondering about the specific use-cases for DNSSEC in Tor > Browser. > > > Furthermore, there are privacy concerns about additional metadata > > regarding the use of DoH (agent headers, > > solved since https://bugzilla.mozilla.org/show_bug.cgi?id=1543201 > > > language settings, > > solved since https://bugzilla.mozilla.org/show_bug.cgi?id=1544724 >
Well done! > > and cookies) > > I don't think firefox sends cookies in DoH requests. > > > I'm still curious about the underlying threat model and use-cases (my > first questions in this thread), > since that would help with trying to understand what you are trying > to achieve. > The thread model is DNS hijacking. Yes, you can prevent DNS hijacking using DoH if you *trust* the resolver you connect to. However, if you want to verify authenticity and integrity of DNS responses you need DNSSEC. Maybe this is not a real concern, otherwise you might have already considered it. > kind regards, > nusenu > BR Christian > > > _______________________________________________ > tor-dev mailing list > tor-dev@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev