[tor-bugs] #23249 [- Select a component]: Tor Browser DNS security: hosts file bypassed when "Proxy DNS when using SOCKS v5" is enabled

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Aug 15 18:04:07 UTC 2017 

#23249: Tor Browser DNS security: hosts file bypassed when "Proxy DNS when using
SOCKS v5" is enabled
--------------------------------------+--------------------
     Reporter:  lux+tor@…             |      Owner:  (none)
         Type:  defect                |     Status:  new
     Priority:  Medium                |  Milestone:
    Component:  - Select a component  |    Version:
     Severity:  Major                 |   Keywords:
Actual Points:                        |  Parent ID:
       Points:                        |   Reviewer:
      Sponsor:                        |
--------------------------------------+--------------------
 This is not a bug, rather an ''unexpected behavior,'' which might expose
 the user to more or less severe security concerns.

 == host table ==
 Operating systems provide a primitive mechanism, called "''host table''",
 which is a static lookup table for hostnames, the ancestor of DNS (`bind`
 software). Through a configuration file (`/etc/hosts`on Linux,
 `%systemroot%\system32\drivers\etc\hosts` on Windows), a system
 administrator is able to manually set associations of (hostname ;
 IP_address).

 When a user performs a DNS lookup ("''I give you a hostname, give me its
 IP address.''"), by default, the following procedure occurs (this behavior
 can be changed on Linux by editing `/etc/nsswitch.conf`file):

  1. look for hostname in host table
  1. is it here?
    1. yes: return IP address set by administrator
    1. no: perform a "standard" DNS lookup

 The host table can be used for security purposes. For instance, if
 `example.org` is a domain known for its dangerous behavior (user tracking
 for instance), a system administrator can block the malicious website by
 using this`/etc/hosts`file:

 {{{
 127.0.0.1 example.org # both IPv4
 ::1       example.org # and IPv6 must be set!

 }}}
 The host table is ''widely'' used by programmers and power users to easily
 block websites, without having to configure heavier local DNS or firewall.

 For more information, please refer to
 [https://en.wikipedia.org/wiki/Hosts_%28file%29 Wikipedia - Hosts (file)]

 == Tor Browser option "Proxy DNS" ==
 Tor Browser provides the option:

   "''Advanced''" → "''Network''" → "''Settings''" → "''Proxy DNS when
 using SOCKS v5''"

 which is equivalent to the "`about:config`" option:

   "`network.proxy.socks_remote_dns`"

 By default, the value is "`true`" (as I think it should be).

 == Expected behavior ==
 When typing a hostname (for instance `example.org`) in the location bar
 and then pressing the "''Go''" button (or the "enter" key), Tor Browser
 will look up for the IP address of `example.org`.

 What is to be expected: the procedure as explained above with the added
 value of Tor Browser, which is performing the DNS lookup through Tor:

  1. look for hostname in host table
  1. is it here?
    1. yes: return IP address set by administrator
    1. no: perform a "standard" DNS lookup '''through Tor'''

 == Actual behavior ==
 What I got with "''Tor Browser 7.0.4 (based on Mozilla Firefox 52.3.0)
 (64-bit)''":

  1. perform a "standard" DNS lookup '''through Tor'''

 The host table is __'''completely bypassed'''__ … Users are exposed to
 malicious websites.

 == Actual behavior with "false" ==
 If I set "`network.proxy.socks_remote_dns`" to "`false`" and reboot Tor
 Browser, then I got the procedure as first explained:

  1. look for hostname in host table
  1. is it here?
    1. yes: return IP address set by administrator
    1. no: perform a "standard" DNS lookup (''not through Tor '''as asked
 and expected''''')

 This proves that Tor Browser is able to look up in the host table!
 However, it is able to do it only when not using Tor for DNS.

 == Conclusion ==
 I agree that, blocking a website by its hostname is not completely secure,
 as a website can own several hostnames. However, it is:

  * a low-cost high-benefit (partial) solution
  * widely used by advanced users (just search for "''hosts file''" in your
 search engine)
  * a protection against potentially-severely-malicious-website (containing
 malwares or spywares)
  * a configure-once-works-for-every-browsers solution

 Therefore, I choose a "''Major''" severity for this ticket.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23249>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list