The --use-tor option

Simon Josefsson simon at josefsson.org
Tue Oct 20 16:34:26 CEST 2015


Werner Koch <wk at gnupg.org> writes:

> This is not complete because DNS lookups are leaking.  This could be
> fixed for some commands (like gpg --fetch-key URL) but that would be a
> specialized solution.  The more problematic areas are resolving of the
> keyserver pools and retrieving of CERT and DANE records.  Thus I did not
> implemented the specialized case for --fetch-key.
>
> Given that it is not likely that we will seen generic DNS support in TOR
> soon, we need to find our own solution.  Using a public server via TCP
> is probably the only thing we can do.  This requires two thing:
>
>   - Being able to specify a public DNS server independent of
>     /etc/resolv.conf.
>
>   - Forcing the use of a virtual circuit (ie. TCP) so that TOR can route
>     the request.
>
> With the standard resolver this is not possible.  Adding a full-fledged
> resolver library to Dirmngr is overkill and we will likely run into
> problems under Windows.  My idea is to make use of the ADNS library.  A
> quick check showed that it is not too much work to add SOCKS5 support
> (to access TOR) and a flag to enable this.

Where would you get the IP address of the DNS server to use with ADNS?

I recall discussions with Christian Grothoff about doing a small
asynchronous library for "name resolution" that could resolv A, AAAA,
CERT, DNAE etc records from DNS, or through other protocols too.  The
library would talk to a local daemon that performed the actual name
resolution, over TOR, using gNS, or whatever.  The admin could configure
it to talk to a DNS server over TOR, or possibly each app could request
special handling (like TOR routing).

What do you think of this approach?

>  - Check with upstream ADNS whether adding SOCKS5 support and a TOR flag
>    would be accepted, develop that, and keep keep the APIs of my
>    (Windows) port and upstream in sync.

This would be nice.

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
URL: </pipermail/attachments/20151020/ed0a3b93/attachment-0001.sig>


More information about the Gnupg-devel mailing list