Delivery-Date: Sun, 11 Jan 2015 17:48:14 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham
	version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id D23D61E0691
	for <archiver@seul.org>; Sun, 11 Jan 2015 17:48:12 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 5F12F322A4;
	Sun, 11 Jan 2015 22:48:08 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 3D42031E9F
 for <tor-talk@lists.torproject.org>; Sun, 11 Jan 2015 22:48:04 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 5okek2J0e38Q for <tor-talk@lists.torproject.org>;
 Sun, 11 Jan 2015 22:48:04 +0000 (UTC)
Received: from despam-12.iastate.edu (despam-12.iastate.edu [129.186.255.132])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "despam-12.iastate.edu", Issuer "InCommon Server CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 2147831D28
 for <tor-talk@lists.torproject.org>; Sun, 11 Jan 2015 22:48:04 +0000 (UTC)
X-Greylist: delayed 2542 seconds by postgrey-1.34 at eugeni;
 Sun, 11 Jan 2015 22:48:04 UTC
Received: from vectra.student.iastate.edu (vectra.student.iastate.edu
 [129.186.222.84])
 by despam-12.iastate.edu (8.14.4/8.14.4) with SMTP id t0BM5d6D011994
 for <tor-talk@lists.torproject.org>; Sun, 11 Jan 2015 16:05:40 -0600
Received: (qmail 6007 invoked by uid 1001); 11 Jan 2015 22:05:39 -0000
Date: Sun, 11 Jan 2015 22:05:39 +0000
From: Nicolai <nicolai-tortalk@chocolatine.org>
To: tor-talk@lists.torproject.org
Message-ID: <20150111220539.GA3480@vectra.student.iastate.edu>
References: <CADop2NGrjgJRkfM+C0PxEC10mQk+zJ1sSOEe-vT2ePOmX2KzkQ@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CADop2NGrjgJRkfM+C0PxEC10mQk+zJ1sSOEe-vT2ePOmX2KzkQ@mail.gmail.com>
X-PMX-Version: 6.0.2.2308539, Antispam-Engine: 2.7.2.2107409,
 Antispam-Data: 2015.1.11.215418
X-ISUMailhub-test: Gauge=X, Probability=10%, Report='
 TO_IN_SUBJECT 0.5, FROM_NAME_ONE_WORD 0.05, HTML_00_01 0.05, HTML_00_10 0.05,
 BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1000_LESS 0, BODY_SIZE_2000_LESS 0,
 BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, BODY_SIZE_700_799 0,
 NO_URI_FOUND 0, REFERENCES 0, __BOUNCE_CHALLENGE_SUBJ 0,
 __BOUNCE_NDR_SUBJ_EXEMPT 0, __CD 0, __CT 0, __CT_TEXT_PLAIN 0, __HAS_FROM 0,
 __HAS_MSGID 0, __IN_REP_TO 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0,
 __REFERENCES 0, __SANE_MSGID 0, __SUBJ_ALPHA_NEGATE 0, __TO_IN_SUBJECT 0,
 __TO_MALFORMED_2 0, __TO_NO_NAME 0'
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iastate.edu;
 h=date:from:to:subject:message-id:references:mime-version:content-type:in-reply-to;
 s=20140630key1.its; bh=+8nxuQos/CRnm9D2l/hUFFgJXVPMSG0ONmuHaz6/g8c=;
 b=CLlYpVaAscZkloPdsWIIwV85WYKS4TU+O1mpB5f4j8/Drf1DrMju/Rc4EDug5BWB0LwilVE4lGpys+g2dKGuJ0SZjE93O/isW7VunaY3u382YF66a5dt4sNKRkkM/XAWt2eNbrdlYZTuzZ/KLb94BkKsV6rwnVtzKGvk73GZNec=
Subject: Re: [tor-talk] DNSSEC better protecting users?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On Sat, Jan 10, 2015 at 12:54:23AM -0800, Virgil Griffith wrote:

> In particular, I am concerned about what subdomain a user is visiting
> being leaked.

DNSSEC is not encrypted, so it leaks everything -- even data that normal
DNS doesn't.

> Are there any established ways of preventing the subdomain from being
> leaked?

The best way currently is to use DNSCrypt, which encrypts DNS queries
and responses.  It's originally from OpenDNS, although there are other
providers that support DNSCrypt also.  With DNSCrypt, only the provider
sees your queries, instead of the provider + anyone listening in.

Note this is only the DNS angle to your question.  (Katya mentions HTTPS
SNI).

Nicolai
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

