Delivery-Date: Thu, 15 Jan 2015 15:53:01 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,URIBL_BLOCKED autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id DA12D1E0A4D
	for <archiver@seul.org>; Thu, 15 Jan 2015 15:52:58 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 5F50432328;
	Thu, 15 Jan 2015 20:52:55 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id C2A8E2F97B
 for <tor-talk@lists.torproject.org>; Thu, 15 Jan 2015 20:52:51 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id DwCqvCVbw7pa for <tor-talk@lists.torproject.org>;
 Thu, 15 Jan 2015 20:52:51 +0000 (UTC)
Received: from smtp2.hushmail.com (smtp2.hushmail.com [65.39.178.134])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.hushmail.com", Issuer "Self-signed" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 9D8A721EA4
 for <tor-talk@lists.torproject.org>; Thu, 15 Jan 2015 20:52:51 +0000 (UTC)
Received: from smtp2.hushmail.com (localhost [127.0.0.1])
 by smtp2.hushmail.com (Postfix) with SMTP id 04AEEA024C
 for <tor-talk@lists.torproject.org>; Thu, 15 Jan 2015 20:52:49 +0000 (UTC)
Received: from smtp.hushmail.com (w3.hushmail.com [65.39.178.62])
 by smtp2.hushmail.com (Postfix) with ESMTP
 for <tor-talk@lists.torproject.org>; Thu, 15 Jan 2015 20:52:48 +0000 (UTC)
Received: by smtp.hushmail.com (Postfix, from userid 99)
 id DCA4DC0106; Thu, 15 Jan 2015 20:52:48 +0000 (UTC)
MIME-Version: 1.0
Date: Thu, 15 Jan 2015 15:52:48 -0500
To: tor-talk@lists.torproject.org
From: "l.m" <ter.one.leeboi@hush.com>
In-Reply-To: <20150111220539.GA3480@vectra.student.iastate.edu>
References: <CADop2NGrjgJRkfM+C0PxEC10mQk+zJ1sSOEe-vT2ePOmX2KzkQ@mail.gmail.com>
 <20150111220539.GA3480@vectra.student.iastate.edu> 
Message-Id: <20150115205248.DCA4DC0106@smtp.hushmail.com>
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [tor-talk] DNSSEC better protecting users?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

I know it's off topic but if you do use DNSCrypt by forcing DNS over
TCP make sure you don't use OpenDNS servers. If you're familiar with
OpenDNS you know they have a control panel where you can admin the
service wrt it's external ip relation. DNS based filtering and
monitoring of requests. If you do use OpenDNS servers it's possible
for an exit to both track the requests made *and* filter requests. Use
an alternative server.

-- leeroy

Nicolai wrote:On Sat, Jan 10, 2015 at 12:54:23AM -0800, Virgil
Griffith wrote:

> In particular, I am concerned about what subdomain a user is
visiting
> being leaked.

DNSSEC is not encrypted, so it leaks everything -- even data that
normal
DNS doesn't.

> Are there any established ways of preventing the subdomain from
being
> leaked?

The best way currently is to use DNSCrypt, which encrypts DNS queries
and responses.  It's originally from OpenDNS, although there are other
providers that support DNSCrypt also.  With DNSCrypt, only the
provider
sees your queries, instead of the provider + anyone listening in.

Note this is only the DNS angle to your question.  (Katya mentions
HTTPS
SNI).

Nicolai
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

