Opened 7 years ago

Closed 6 years ago

#6321 closed task (implemented)

Write a proposal for unverified DNS caching

Reported by: ioerror Owned by: nickm
Priority: Medium Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: dnssec needs-proposal tor-client
Cc: nickm, arma Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We need a proposal for making Tor clients only cache DNS on a per circuit basis unless verified by DNSSEC. In the absence of DNSSEC, we should not share DNS cache state between circuits.

Child Tickets

Change History (6)

comment:1 Changed 7 years ago by ioerror

Keywords: dnssec added

comment:2 Changed 7 years ago by nickm

Milestone: Tor: 0.2.4.x-final
Status: newassigned

Since right now Tor _doesn't_ do dnssec at all, the change will be to make "DNS Cache" a first-class type, and have it be per-circuit. This will help mitigate several attacks at the cost of a little more dns at the exit node.

comment:3 Changed 7 years ago by nickm

Keywords: needs-proposal added

comment:4 Changed 7 years ago by nickm

Keywords: tor-client added

comment:5 Changed 7 years ago by nickm

Component: Tor ClientTor

comment:6 Changed 6 years ago by nickm

Resolution: implemented
Status: assignedclosed

This was proposal 205.

Note: See TracTickets for help on using tickets.