dirmngr vs. tor gateways
Ben McGinnes
ben at adversary.org
Wed Mar 7 18:16:37 CET 2018
On Wed, Feb 28, 2018 at 04:34:45PM +0100, o. wrote:
> On 02/28/2018 08:03 AM, Werner Koch wrote:
>
>> And you need top make sure that you have a full DNS resolver over Tor.
>> Just looking up AAAA records is not sufficient to use the key server pools.
>
> I don't think that such a resolver exists for tor at the moment. The
> ticket seems to still be open [0].
From what I understand of the whonix boxes, they're always configured
in such a way that all traffic exits via an encrypted connection;
mostly via VPN before moving on to Tor and sometimes with a couple of
VPNs (well, a couple of openvpn links). The key point, though, is
that all traffic runs through these links or through Tor and nothing
else goes back to a plain old Internet connection.
At least that's what this config page indicates:
https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor#DNS_Configuration_2
If that's the case and the network config already addresses the normal
security concerns that come with DNS resolution and Tor then this
would be precisely the scenario in which this page:
https://www.whonix.org/wiki/Whonix-Gateway_System_DNS
Should be overridden and bind activated on the system. Just configure
it as a local resolver, you can also do some far more cleve rhings
with a locl named instance running than you ever could with /etc/hosts
anyway.
Then just make sure all TCP and UDP traffic to and from ports 53 and
5353 (at the local end or the other end) go through the tunnel. I'd
add port 43 (whois) for good measure. Then point dirmngr's nameserver
option at 127.0.0.1 and you should be set. It'll look up hostnames
and domains on the local resolver and all traffic from said resolver
goes through the tunnels.
There might be some interestingly long pauses with searches due to
inevitable latency issues over Tor, but other than that it should work
just fine.
Regards,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180308/ff2e04af/attachment-0001.sig>
More information about the Gnupg-devel
mailing list