#26042 closed enhancement (not a bug)

Add a new option "RouteDNSTraffic" to prevent noobs from insecure way to use Tor.

Reported by: cypherpunks Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords:
Cc: wanking@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

RouteDNSTraffic 1
(default: 1, enabled.)

Analyzed my exit node's traffic, I noticed many users is sending DNS traffic over Tor, expecially targeting 8.8.8.8.

Tor itself should reroute the tcp port 53 request to TorDNS system
to prevent linking.

https://nakedsecurity.sophos.com/2016/10/05/unmasking-tor-users-with-dns/
https://lists.torproject.org/pipermail/tor-relays/2016-May/009255.html

Before:
User === Tor ----- Tor node ---> 8.8.8.8

After:
User === Tor[ --reroute-to-TorDNS-system ]<--->Tor node

Child Tickets

Change History (5)

comment:1 Changed 12 months ago by cypherpunks

http://mayakron.altervista.org/wikibase/show.php?id=AcrylicConfiguration

PrimaryServerProtocol=SOCKS5
PrimaryServerProxyAddress=127.0.0.1
PrimaryServerProxyPort=9150
PrimaryServerAddress=8.8.8.8
PrimaryServerPort=53

(copied from some website titled 'how to use Tor with DNS')

comment:2 Changed 12 months ago by cypherpunks

Resolution: wontfix
Status: newclosed
  • analyzing exit traffic is a no-go
  • manipulating destinations clients defined is a no-go
  • you can not assume that everything on TCP/53 is DNS

comment:3 Changed 12 months ago by cypherpunks

Cc: wanking@… added
Resolution: wontfix
Status: closedreopened

comment:4 Changed 11 months ago by indigotime

Tor itself should reroute the tcp port 53 request to TorDNS system to prevent linking.

No, no and no.

It's just need to include DNSCrypt and DNS-over-TLS resolvers into Tor Browser (Orbot, Orfox).

comment:5 in reply to:  4 Changed 11 months ago by teor

Milestone: Tor: unspecified
Priority: HighMedium
Resolution: not a bug
Status: reopenedclosed
Type: taskenhancement

Replying to indigotime:

Tor itself should reroute the tcp port 53 request to TorDNS system to prevent linking.

No, no and no.

It's just need to include DNSCrypt and DNS-over-TLS resolvers into Tor Browser (Orbot, Orfox).

Tor Browser uses the exit to resolve DNS queries.

The users using port 53 are running applications that don't support SOCKS5, or are not doing DNS.

There's really nothing Tor can do to reliably fix applications.

Note: See TracTickets for help on using tickets.