[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] Secure DNS Addresses



Hi,

evervigilant@riseup.net wrote:
> If anyone has good intel on some really secure DNS
> addresses that would be great currently I'm using 
> my VPN provider DNS servers and would like to
> have some more numbers to add to my list.

You  might consider security and DNS a bit of a joke in that security
wasn't  a major design goal. DNSSEC is an extension which is meant to
provide  assurance that the response is authoritative. It doesn't
encrypt the  request, it only signs the response. This means it would
act  as a side-channel, or information leak if used together with Tor.
Using Tor for DNSSEC resolves is expensive and slow, slower if the
exit were to tamper. 

Having said that you might look into dnscrypt as a method to secure
the client-DNS resolver traffic. It supports forcing DNS over TCP if
needed. Some dnscrypt-supporting resolvers also provide DNSSEC.
Consider however that *any* local dns resolution together with Tor can
act as an information leak. All an adversary needs is to know is which
resolver you use and then watch the traffic generated by the resolver.
At some point that traffic will be unencrypted.

Do keep in mind some resolvers (like OpenDNS dnscrypt) provide
features where the *apparent* client can monitor and filter requests.
This might be a concern for you where MITM-like adversaries might
exist.

--leeroy
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk