BlockNumericIPRequests patch (fwd)
Roger Dingledine
arma at mit.edu
Sun Mar 12 19:08:34 UTC 2006
On Fri, Mar 10, 2006 at 09:51:01PM +0000, Jason Holt wrote:
> FYI. The patch can be found at
> http://lunkwill.org/src/BlockNumericIPRequests.patch
>
> Per the recent discussion on or-talk about applications using local DNS,
> I've written a patch which adds an option to torrc to refuse to make
> connections specified as numeric addresses. (Off by default, of course).
> Patch against CVS attached.
Hi Jason,
Thanks for the patch. I'd like to work through two questions first
though.
First, we already have a TestSocks config option:
TestSocks 0|1
When this option is enabled, Tor will make a notice-level log
entry for each connection to the Socks port indicating whether
the request used a hostname (safe) or an IP address (unsafe).
This helps to determine whether an application using Tor is pos-
sibly leaking DNS requests. (Default: 0)
This doesn't do quite what your patch does, of course. But is it
sufficient?
Second, even with your patch, an application using the wrong socks
version will do the DNS resolve, and then fail to work. So in a sense
it is broken in *both* respects now. Is this better behavior than before?
I'd like to figure these out a bit more before we simply hand more
options to the users and hope it solves the problem. :)
Thanks,
--Roger
More information about the tor-dev
mailing list