The --use-tor option
Simon Josefsson
simon at josefsson.org
Tue Oct 20 16:34:26 CEST 2015
Werner Koch <wk at gnupg.org> writes:
> This is not complete because DNS lookups are leaking. This could be
> fixed for some commands (like gpg --fetch-key URL) but that would be a
> specialized solution. The more problematic areas are resolving of the
> keyserver pools and retrieving of CERT and DANE records. Thus I did not
> implemented the specialized case for --fetch-key.
>
> Given that it is not likely that we will seen generic DNS support in TOR
> soon, we need to find our own solution. Using a public server via TCP
> is probably the only thing we can do. This requires two thing:
>
> - Being able to specify a public DNS server independent of
> /etc/resolv.conf.
>
> - Forcing the use of a virtual circuit (ie. TCP) so that TOR can route
> the request.
>
> With the standard resolver this is not possible. Adding a full-fledged
> resolver library to Dirmngr is overkill and we will likely run into
> problems under Windows. My idea is to make use of the ADNS library. A
> quick check showed that it is not too much work to add SOCKS5 support
> (to access TOR) and a flag to enable this.
Where would you get the IP address of the DNS server to use with ADNS?
I recall discussions with Christian Grothoff about doing a small
asynchronous library for "name resolution" that could resolv A, AAAA,
CERT, DNAE etc records from DNS, or through other protocols too. The
library would talk to a local daemon that performed the actual name
resolution, over TOR, using gNS, or whatever. The admin could configure
it to talk to a DNS server over TOR, or possibly each app could request
special handling (like TOR routing).
What do you think of this approach?
> - Check with upstream ADNS whether adding SOCKS5 support and a TOR flag
> would be accepted, develop that, and keep keep the APIs of my
> (Windows) port and upstream in sync.
This would be nice.
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
URL: </pipermail/attachments/20151020/ed0a3b93/attachment-0001.sig>
More information about the Gnupg-devel
mailing list