3

Unbound has the option to use DNS over TLS as an upstream (through the forward-tls-upstream setting).

CludFlare's 1.1.1.1 service offers this; also through TOR.

My question is whether

  • Unbound will open a new TLS connection for each request (in which case my queries will be lost in the endless soup of all the others using the same TOR exit node), or
  • Unbound will re-use an existing TLS connection (in which case CloudFlare can build a neat bucket of only the queries coming from my router - making the TOR tunneling part useless).
multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
vbence
  • 131
  • 5
  • Doesn't answer your question, but the spec has some other interesting privacy considerations that may allow you to be fingerprinted anyway: https://tools.ietf.org/html/rfc8484#section-8.2 – multithr3at3d May 01 '20 at 14:37
  • Reading your first link, it looks like DNS over TLS, not HTTPS. The DoT spec does encourage long-running connections for performance reasons though, so I'd wager that's how it's implemented. Would need to look at the code probably. – multithr3at3d May 01 '20 at 14:39
  • In many cases they encourage keep-alive with HTTPS because the intial handshake + asymmetric part has a hefty cost. – vbence May 01 '20 at 15:03
  • @multithr3at3d That's why the TOR part is important.(For the DNS server not to be able to make a logical connection - originating IP - between the queries). – vbence May 01 '20 at 15:51
  • @multithr3at3d I can re-tag the question if you can create a DoT tag :) – vbence May 01 '20 at 21:40
  • 1
    I took care of it for you. – multithr3at3d May 01 '20 at 22:21

1 Answers1

0

Currently there is a ticket saying that Unbound does not re-use TLS connections, but it is planned. https://github.com/NLnetLabs/unbound/issues/47

vbence
  • 131
  • 5