Delivery-Date: Sun, 05 Apr 2015 17:49:40 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	RCVD_IN_DNSWL_MED,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id F2C6C1E01A0
	for <archiver@seul.org>; Sun,  5 Apr 2015 17:49:38 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 79BBA3471F;
	Sun,  5 Apr 2015 21:49:35 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 6FA3C34702
 for <tor-talk@lists.torproject.org>; Sun,  5 Apr 2015 21:49:32 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id TkzyAkCr2Mya for <tor-talk@lists.torproject.org>;
 Sun,  5 Apr 2015 21:49:32 +0000 (UTC)
Received: from smtp1.hushmail.com (smtp1.hushmail.com [65.39.178.135])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.hushmail.com", Issuer "smtp.hushmail.com" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 4B677346F5
 for <tor-talk@lists.torproject.org>; Sun,  5 Apr 2015 21:49:32 +0000 (UTC)
Received: from smtp1.hushmail.com (localhost [127.0.0.1])
 by smtp1.hushmail.com (Postfix) with SMTP id 7B39E40216
 for <tor-talk@lists.torproject.org>; Sun,  5 Apr 2015 21:49:29 +0000 (UTC)
Received: from smtp.hushmail.com (w5.hushmail.com [65.39.178.80])
 by smtp1.hushmail.com (Postfix) with ESMTP
 for <tor-talk@lists.torproject.org>; Sun,  5 Apr 2015 21:49:29 +0000 (UTC)
Received: by smtp.hushmail.com (Postfix, from userid 99)
 id 5734CA01BF; Sun,  5 Apr 2015 21:49:29 +0000 (UTC)
MIME-Version: 1.0
Date: Sun, 05 Apr 2015 17:49:29 -0400
To: tor-talk@lists.torproject.org
From: "l.m" <ter.one.leeboi@hush.com>
In-Reply-To: <342245e295e58d988086eeb5af19326a@riseup.net>
Message-Id: <20150405214929.5734CA01BF@smtp.hushmail.com>
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [tor-talk] Secure DNS Addresses
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Hi,

evervigilant@riseup.net wrote:
> If anyone has good intel on some really secure DNS
> addresses that would be great currently I'm using 
> my VPN provider DNS servers and would like to
> have some more numbers to add to my list.

You  might consider security and DNS a bit of a joke in that security
wasn't  a major design goal. DNSSEC is an extension which is meant to
provide  assurance that the response is authoritative. It doesn't
encrypt the  request, it only signs the response. This means it would
act  as a side-channel, or information leak if used together with Tor.
Using Tor for DNSSEC resolves is expensive and slow, slower if the
exit were to tamper. 

Having said that you might look into dnscrypt as a method to secure
the client-DNS resolver traffic. It supports forcing DNS over TCP if
needed. Some dnscrypt-supporting resolvers also provide DNSSEC.
Consider however that *any* local dns resolution together with Tor can
act as an information leak. All an adversary needs is to know is which
resolver you use and then watch the traffic generated by the resolver.
At some point that traffic will be unencrypted.

Do keep in mind some resolvers (like OpenDNS dnscrypt) provide
features where the *apparent* client can monitor and filter requests.
This might be a concern for you where MITM-like adversaries might
exist.

--leeroy
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

