
Introducing DNS Resolver for Tor - XzetaU8
https://blog.cloudflare.com/welcome-hidden-resolver/
======
kodablah
In a big company blog post like this, I wish they'd call them onion services
instead of hidden services, especially since they are even using a v3 onion
service.

Also, curious if they wrote any code to support this since OnionBalance
doesn't support v3 yet. I know they use Go a lot and I wrote a Tor control
client myself recently [0].

0 - [https://github.com/cretz/bine](https://github.com/cretz/bine)

~~~
mahrud
Thanks for the heads up, should be fixed now.

I knew Tor Project has been shifting away from "hidden services" for a while
but I missed the email where teor clarified things for blog posts and such in
late April [0]. Also, I wanted to avoid using "onion resolver" as it would be
a worse misnomer than "hidden resolver."

Re. OnionBalance: we're working on a few ideas for this, but nothing
conclusive yet.

0\. [https://lists.torproject.org/pipermail/tor-
dev/2018-April/01...](https://lists.torproject.org/pipermail/tor-
dev/2018-April/013104.html)

~~~
manwithaplan
> I knew Tor Project has been shifting away from "hidden services" for a while

I read the article after your correction, and on reading the `What are Tor
onion services?` section, I thought “How nice, they’re using the new
terminology to go with the new v3 service address”.

But then, just below, I saw the
[https://blog.cloudflare.com/content/images/2018/05/image_3.p...](https://blog.cloudflare.com/content/images/2018/05/image_3.png)
diagram still mention “hidden service” and thought “an old image slipped thru,
tho” :)

Also, wouldn’t a “1111dns4tor” prefix look better? :)

~~~
jgrahamc
> Also, wouldn’t a “1111dns4tor” prefix look better? :)

Yes, it would but the .onion addresses use base32 and '1' isn't in the
alphabet used:
[https://en.wikipedia.org/wiki/Base32](https://en.wikipedia.org/wiki/Base32)

~~~
jedberg
You could have done IIIIdns4tor :)

~~~
kodablah
It would be iiiidns4tor because, while base-32 is commonly implemented with
capital letters, the onion service ID is lower cased.

~~~
mahrud
Also, farming an onion with that many fixed characters takes a good few
hundreds or thousands of years.

~~~
zaarn
This is a v3 onion service, it should be easier to find prefixes, plus CF (and
other companies like FB) have done pretty long prefixes via brute force (they
have a lot of computers)

------
jerheinze
As I said in the earlier duplicate post
[https://news.ycombinator.com/item?id=17238365](https://news.ycombinator.com/item?id=17238365)

> That makes privacy worse than the default setup with Tor since there's no
> stream isolation. With the standard Tor Browser you get a different circuit
> for each first-party domain, that's not something you'd have with this.

~~~
kodablah
So in the Tor browser, DNS resolution for non-onion addresses creates a new
circuit each time? (not sarcasm, I really don't know) Because I consider this
new onion service (aka a front for 1.1.1.1) to be a single first-party domain.
How is this any worse than contacting any other onion service repeatedly? Or
are you arguing they should provide a rotating list of onion addresses for
this service?

~~~
jerheinze
> So in the Tor browser, DNS resolution for non-onion addresses creates a new
> circuit each time?

You can try it for yourself, open a tab in the Tor Browser with foo1.com, look
at the circuit in the Torbutton. Then open another tab with foo2.com, look at
the circuit and compare it with the earlier one.

~~~
kodablah
The DNS resolution is done by the exit node. Once you go to foo1.com or
foo2.com after the resolution you are still going to separate IPs and subject
to the same benefits. There's really nothing to compare this CloudFlare
service to except just like an HTTP API as an onion service (or bind or
whatever).

There is safety in numbers accessing the CloudFlare service. It helps reduce
traffic analysis attacks that could otherwise occur on exit nodes and the exit
node's possible-non-authoritative resolver. Because correlation between the
circuit to CloudFlare's resolution and the exit node's site access is a bit
harder. Granted once you enter the HTTP world and ask that second level domain
to start the TLS handshake, they can see where you're going anyways so it
might not matter. But it can prevent you from being poisoned by the exit
node's DNS resolver. It just removes one layer of trust away from the exit
node.

~~~
jerheinze
Let's say you set this up with the Tor Browser, all your DNS resolutions are
done using this onion, then they're all linkable--whereas with the default
they're unlinkable since two different circuits were used for different first-
party domains. That's the point.

~~~
kodablah
Right, if you don't trust CloudFlare or you think there is a flaw in Tor.
Let's say you didn't set this up, the exit node can lie about the DNS
resolution. Granted, to your point, unless I was worried about exit nodes, I
probably would want my resolution on the same circuit/session as my access.

~~~
gnode
I don't think there's any reason you can't have both: for each site have a new
circuit, and make a connection for that DNS resolution only, on that circuit
or a separate one, using Cloudflare.

------
gant
>Still, the exceptionally privacy-conscious folks might not want to reveal
their IP address to the resolver at all, and we respect that.

Who was it again that puts ReCAPTCHA on so many popular websites when using
Tor, which could be used for traffic correlation? Oh. Cloudflare.

Ref:
[https://news.ycombinator.com/item?id=12122268](https://news.ycombinator.com/item?id=12122268)

~~~
jgrahamc
And who was it that worked with researchers on Privacy Pass to provide
anonymous access for web users? Oh. Cloudflare. [1]

And who was it that changed their algorithm for handling TorBrowser traffic so
that there's no need to show those CAPTCHAs? Oh. Cloudflare.

And who was it that gave our customers control over how Tor traffic is
handled? Oh. Cloudflare. [2]

[1] [https://blog.cloudflare.com/cloudflare-supports-privacy-
pass...](https://blog.cloudflare.com/cloudflare-supports-privacy-pass/) [2]
[https://support.cloudflare.com/hc/en-
us/articles/203306930-D...](https://support.cloudflare.com/hc/en-
us/articles/203306930-Does-Cloudflare-block-Tor-)

~~~
stingraycharles
(For those of you who missed it. parent poster @jgrahamc is CTO of Cloudflare.
)

Don’t get too snarky, John. Thanks for working with the Tor community, but
haters gonna hate.

~~~
lossolo
I think changing "And who was it that" in every sentence to "We" and removing
"? Oh. Cloudflare." automatically would remove the _snarkiness_.

~~~
zaarn
I think "We did" would be better, especially when you play the appropriate The
Simpson's song in the background...

------
jedisct1
dnscrypt-proxy is compatible with Cloudflare and now has built-in support for
Tor.

Just add `proxy = "socks5://127.0.0.1:9050"` to the configuration file.

~~~
timewasted
I just wanted to thank you for dnscrypt-proxy. I had seen it mentioned in
another post so I had it saved in an open tab for later. Seeing it mentioned
here again prompted me to actually install it. Very much worth the ~5 minutes
it took to get it up and running!

------
ajross
I... get the idea, and support it. I don't understand the implementation.

What is the point of creating an onion address and then publicizing it? Why
not just use Tor to get to 1.1.1.1 in the first place? Onion URLs are for
services that don't want to reveal themselves.

Basically, what does this enable that generic Tor does not?

~~~
nly
> Basically, what does this enable that generic Tor does not?

End-to-end encryption. If you query 1.1.1.1 over Tor then exit nodes can
diddle with your traffic.

~~~
AstralStorm
If you're using DNSSEC then they can't mess with your DNS either. However, it
is very readable by the exit node - just like Host header in HTTP or
server_name in TLS.

~~~
tptacek
Sure they can. Virtually nothing is DNSSEC-signed. And if you're using someone
else's DNSSEC server, and not running your own server on your own machine, the
link between you and your DNS server is completely unprotected.

------
shiado
Strange to see a company which deems a bunch of unpopular idiot white
supremacist trolls to be too extreme of speech supporting a network which has
allowed child pornography to flourish online at a scale never before seen.
Bold move.

------
tgragnato
Is the log policy for this onion and 1.1.1.1 exactly the same?

~~~
jgrahamc
First sentence of the second paragraph: "As it was mentioned in the original
blog post, our policy is to never, ever write client IP addresses to disk and
wipe all logs within 24 hours. "

So, yes.

~~~
tgragnato
Thanks for confirming, suspicion is a must when it comes to onions. I'm
already testing it, works like a charm.

socat TCP4-LISTEN:853,bind=localhost,reuseaddr,fork
SOCKS4A:localhost:dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion:853,socksport=9050

openssl s_client -showcerts -crlf -connect localhost:853

getdns_query 1dot1dot1dot1.cloudflare-dns.com 127.0.0.1@853

forward-addr: 127.0.0.1@853#tor.cloudflare-dns.com

~~~
crapflare
for the love of god. if you care about privacy...dont use this you are
crippling the stream decoupling of the tor browser...how can you not get this?
Its so obviously a stupid idea.

~~~
tgragnato
I'm well aware of what this does, and I have zero intentions to set it inside
the tor browser.

CloudFlare is only _ONE OF THE MANY_ upstream recursive resolvers I use to
protect the queries for my _CLEARNET_ traffic.

------
ancarda
Why is the URL so long? Weren't .onion domains about 16 characters long?
Compare with Facebook's hidden service:

    
    
        facebookcorewwwi.onion
        dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion
    

Also, how does that website have SSL? Are there Certificate Authorities that
can supply certificates for .onion domains now? CloudFlare did the same trick
for [https://1.1.1.1](https://1.1.1.1) too so perhaps they are just able to do
things most people can't.

~~~
benjojo12
Tor moved to a longer address space because the short one is 1024 bit RSA

~~~
kodablah
To be even clearer, v2 service names are just a part of the RSA key hash
whereas v3 service names are a full ed25519 pub key and a couple of other
bytes.

------
comboy
Any update on some distributed names resolution for tor? At some point there
seemed to be a chance for namecoin to handle this.

------
linkmotif
Could someone explain the rainbow theme? And why that onion URL has is a
psychedelic gif?

~~~
jgrahamc
We used the same theme on the underlying 1.1.1.1 resolver:
[https://blog.cloudflare.com/announcing-1111/](https://blog.cloudflare.com/announcing-1111/)
I'll ask the designers why.

EDIT: and she said: "We had this very mysterious 1.1.1.1 white on black theme
when we were just sort of trying to build hype guerilla-style and then once
the announcement was made we flipped it into the colorful "here it is, it's
great!" Sort of thing"

~~~
linkmotif
Thank you. I am specifically wondering if there's a technical reason that URL
is repeated twice. Once as a hyperlink, and once as that gif. Or if it's just
for fun.

Thanks for these services and your work generally at Cloudflare.

