DNSSEC & DNSCrypt over Tor

Question

I want to use DNSSEC and DNSCrypt with Tor. I wonder which configuration is more secure and better?

1. SOCKS4 + dnscrypt-proxy: Forward the DNS traffic to a DNS server which I choose. Although the DNS server is DNSSEC, DNSCrypto and has no logs.
2. SOCKS4a: Forward DNS traffic within Tor network and resolve it from many IP address.
3. SOCKS5: Forward DNS traffic within Tor network, but resolve it from one IP address (exit node).

So, basically the question is "How to use DNSSEC and DNSCrypt correctly over Tor?"

Answer 1

The 3 configuration examples given offer different benefits and drawbacks. Our preference would be towards #1, as this minimizes latency while offering security on the transportation layer (and with a DNSSEC validating cache, validation of the origin and answer itself).

From a security standpoint, this should allow the same level of protection that Tor does from an encryption standpoint. Of course the DNS server that you are using knows your IP address and what you are requesting, so either you have to trust the DNS server you are using, or you have to use one of the other 2 options proposed.

The major drawback we see regarding the other 2 options are added latency. DNS is pretty time sensitive, the longer it takes to resolve, the worse things go for you. While adding 3 seconds of latency to an HTTP request isn't good, it's not going to break anything. If you add 3 seconds of latency to a DNS request, it's likely your computer will simply act as if the request failed. So, either SHOULD work, the security offered between them is pretty comparable, but there are many different opinions on this point.

The main reason to go for option 2 or 3 (although not sure there's enough difference between those 2 to really matter) would be wanting to hide your source IP from the DNS server.

SOURCE: OpenDNS Support Team

Answer 2

If you enable tcp-upstream: yes in your unbound configuration, the remote DNS server should also be able to reply to TCP requests, in other words, to be listening on port 53 TCP. I couldn't find a free DNSSEC enabled server that does this, all of them talk only UDP.

Answer 3

For what it's worth, you can also use unbound as a DNSSEC validating DNS recursor over Tor. But think long and hard about how this will affect circuit isolation and fingerprinting!

# /etc/unbound/unbound.conf

server:
  auto-trust-anchor-file: "/var/lib/unbound/root.key"
  interface: 127.0.0.1
  do-ip6: no
  tcp-upstream: yes

unbound doesn't support Socks, so you would use transparent proxying or maybe torsocks.

Answer 4

I question the real validity of DNS being insecure. Most networks use to block only HTTP GET URLs, where they get domain info to block. Some gateways look on HTTP body for keywords.

DNS is used only when network admin is handling hackers, who he believes have already bypassed his HTTP blocks. It's very rare even for power users to bother about DNS.

But if this admin is unable to properly block HTTP, will he be able to do so with DNS?

The major issue is that DNS queries are the base for all Internet requests based on domains. ANYTHING we access pointing to a domain needs to be resolved. So, DNS is used a lot, and it needs to reply FAST. Using blacklist filters in DNS servers can make them slow, and the whole network will suffer.

Just logging every query everybody does to later use it in statistics is possible, in this case I agree you need to be careful. But again, few uses will be able to properly hide their HTTP usage at the same time admin is unable to block them.

Answer 5

I'm using BIND tuned up for forwarding all the dot-onion to Tor DNS resolver+binder and all the rest is resolved recursively without any forwarding. Works like a charm