[Freedombox-discuss] DNS std for Freedomboxes? [was Re: Establishing Communicationbetween Freedomboxes]
bertagaz at ptitcanardnoir.org
bertagaz at ptitcanardnoir.org
Tue Jul 19 18:21:44 UTC 2011
On Tue, Jul 19, 2011 at 11:08:50AM -0700, Tony Godshall wrote:
> >>> Is Tor centralized this way?
> >
> >> The Tor directory authorities are centralized, but the effect of
> >> compromising a DNS root server is probably worse than compromising a
> >> Tor directory authority.
> >
> > Right. Since Directory Protocol v2, statements made by a Directory
> > authority are believed by a Tor client "iff they were attested to by
> > more than half of the authorities", so an adversary needs to
> > compromise more than half of the Tor Directory authorities to be able
> > to lie effectively to Tor clients.
> >
> > See dir-spec-v2.txt in the torspec Git repository¹ for details.
> > The "0.1. History" section of the (WIP) dir-spec.txt is a nice
> > introduction to how such matters are dealt with by Tor.
> >
> > 1. git://git.torproject.org/torspec.git
> >
> > Bye,
>
>
> Thanks
>
> Is there any reason why Tor-based DNS should not be the default for
> the freedombox?
DNS torification (using the DNSPort Tor option) actually only support A
requests, meaning if the FreedomBox is setup to be a mail server, it can't
work properly (at least MX DNS requests can't be resolved that way). But
there are ways to configure a system so that it can use Tor for the A
queries, and plain DNS for the rest.
Maybe that should be an option chosen by the user?
> The arguments in favor would seem to be that it
>
> - is well tested
>
> - bypasses DNS manipulation by an ISP or adversary capable of
> compromising less than half of Tor
>
> - makes DNS lookups encrypted
>
> It does not, however, keep an adversary from logging connections by
> actual ip address (except for those that go through the high-latency
> Tor hidden service mechanism of course)
>
> Tony
>
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
More information about the Freedombox-discuss
mailing list