BlockNumericIPRequests patch (fwd)

Roger Dingledine arma at mit.edu
Sun Mar 12 19:08:34 UTC 2006


On Fri, Mar 10, 2006 at 09:51:01PM +0000, Jason Holt wrote:
> FYI.  The patch can be found at 
> http://lunkwill.org/src/BlockNumericIPRequests.patch
> 
> Per the recent discussion on or-talk about applications using local DNS, 
> I've written a patch which adds an option to torrc to refuse to make 
> connections specified as numeric addresses.  (Off by default, of course).  
> Patch against CVS attached.

Hi Jason,

Thanks for the patch. I'd like to work through two questions first
though.

First, we already have a TestSocks config option:

  TestSocks 0|1
      When this option is enabled, Tor will make  a notice-level  log
      entry  for  each connection to the Socks port indicating whether
      the request used a hostname (safe) or an  IP  address (unsafe).
      This helps to determine whether an application using Tor is pos-
      sibly leaking DNS requests.  (Default: 0)

This doesn't do quite what your patch does, of course. But is it
sufficient?

Second, even with your patch, an application using the wrong socks
version will do the DNS resolve, and then fail to work. So in a sense
it is broken in *both* respects now. Is this better behavior than before?

I'd like to figure these out a bit more before we simply hand more
options to the users and hope it solves the problem. :)

Thanks,
--Roger



More information about the tor-dev mailing list