GitLab

Originally created by Tails on #6070 (Redmine)

{{toc}}

Rationale

The Tor DNS resolver Tails is currently using lacks support for most types of DNS queries except "A". A better user experience would be provided if Tails was able to resolve any kind of DNS queries out of the box.

Implementation

Inserting ttdnsd into the DNS resolver loop is the obvious solution. ttdnsd listens for UDP DNS requests and forwards these via the Tor SOCKS proxy to an open recursive DNS resolver on the Internet.

But we cannot just replace pdnsd with ttdnsd as the latter, unlike the former, does no caching at all. The DNS resolution process could then be:

resolv.conf -> DNS forwarding+caching proxy -> ttdnsd -> Tor

Forwarding+caching DNS proxy candidates:

• pdnsd: already installed on Tails
• dnsmasq: very flexible DNS forwarder
• unbound: "recursive-only" caching DNS server which can perform DNSSEC validation of results; the DNSSEC feature is appealing; its "forward zones" feature seems to allow plugging it into the proposed DNS resolution process: forwarding a zone called "." seems sufficient; see Haven SVN for examples that may not be working yet (as of June 2011, see tor-talk ML)

=> keeping our known-working pdnsd configuration seems to be the safe choice.

Work is being done on this topic in our feature/support_arbitrary_dns_queries Git branch.

Merged in devel, with everything but .onion / .exit being resolved using ttdnsd because of bug #3369 on Tor Project’s Trac. This bug was fixed in the Tor 0.2.2.x branch; let’s wait for this release to be stabilized; once we ship it, we can move to "try the Tor resolver first, fallback on ttdnsd if the former fails".

The feature/support_arbitrary_dns_queries Git branch implements the above described policy. Only thing missing is Tor 0.2.2.x.

Tor 0.2.2 is now the official Tor stable tree. Time to merge.

done in 0.8

Related issues

• Related to #6158 (closed)
• Blocks #7453 (closed)