Add remote addr/port to conn of dns request
Robert Hogan
robert at roberthogan.net
Sun Jun 17 14:38:15 UTC 2007
If the extension for reporting the remote address and port in stream events is
adopted, it would be great if the address and port of dns requests could be
informative, rather than '(null):0'.
Testing this patch revealed the source of some odd dns requests TorK
frequently reported when my system's requests were all routed to tor's
dnsport. I was quite concerned about them at first, they were slews of
invalid requests like
650 STREAM 40 CLOSED 12 ng.invalid:0 REASON=DONE SOURCE_ADDR=192.168.1.2:33767
650 STREAM 43 CLOSED 12 cixub22dxb3axlhj.com:0 REASON=DONE
SOURCE_ADDR=192.168.1.2:33768
650 STREAM 50 CLOSED 12 ingd6oyrd.org:0 REASON=DONE
SOURCE_ADDR=192.168.1.2:33767
650 STREAM 45 CLOSED 12 fo6a2vccbqa.net:0 REASON=DONE
SOURCE_ADDR=192.168.1.2:33768
650 STREAM 44 CLOSED 12 jtxsrvaiz42o.org:0 REASON=DONE
SOURCE_ADDR=192.168.1.2:33767
650 STREAM 41 CLOSED 12 6ob.test:0 REASON=DONE SOURCE_ADDR=192.168.1.2:33768
Turns out the source was... tor!
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
udp 0 0 192.168.1.2:10025 159.134.237.6:53
ESTABLISHED -
udp 0 0 192.168.1.2:33767 159.134.237.6:53
ESTABLISHED 9370/tor
udp 0 0 192.168.1.2:33768 159.134.248.17:53
ESTABLISHED 9370/tor
The reason for these requests is obvious enough, in hindsight, but I think a
log event admitting to the user that these requests originate from tor would
be helpful. It would certainly keep paranoid-but-a-bit-dim users like myself
from thinking there was some sort of dns snooping trojan afoot. (Since the
user, like me, might assume that these are happening even when dnsport is
turned off and that forcing dns requests through tor has revealed the
possibly naughty behaviour of another application.)
Index: src/or/dnsserv.c
===================================================================
--- src/or/dnsserv.c (revision 10632)
+++ src/or/dnsserv.c (working copy)
@@ -23,6 +23,7 @@
struct evdns_server_question *q = NULL;
struct sockaddr_storage addr;
struct sockaddr *sa;
+ struct sockaddr_in *sin;
int addrlen;
uint32_t ipaddr;
int err = DNS_ERR_NONE;
@@ -48,10 +49,11 @@
log_warn(LD_APP, "Requesting address wasn't ipv4.");
evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
return;
- } else {
- struct sockaddr_in *sin = (struct sockaddr_in*)&addr;
- ipaddr = ntohl(sin->sin_addr.s_addr);
}
+
+ sin = (struct sockaddr_in*)&addr;
+ ipaddr = ntohl(sin->sin_addr.s_addr);
+
if (!socks_policy_permits_address(ipaddr)) {
log_warn(LD_APP, "Rejecting DNS request from disallowed IP.");
evdns_server_request_respond(req, DNS_ERR_REFUSED);
@@ -112,6 +114,11 @@
/* Make a new dummy AP connection, and attach the request to it. */
conn = TO_EDGE_CONN(connection_new(CONN_TYPE_AP, AF_INET));
conn->_base.state = AP_CONN_STATE_RESOLVE_WAIT;
+
+ TO_CONN(conn)->addr = ntohl(sin->sin_addr.s_addr);
+ TO_CONN(conn)->port = ntohs(sin->sin_port);
+ TO_CONN(conn)->address = tor_dup_addr(TO_CONN(conn)->addr);
+
if (q->type == EVDNS_TYPE_A)
conn->socks_request->command = SOCKS_COMMAND_RESOLVE;
else
--
Browse Anonymously Anywhere - http://anonymityanywhere.com
TorK - KDE Anonymity Manager - http://tork.sf.net
KlamAV - KDE Anti-Virus - http://www.klamav.net
More information about the tor-dev
mailing list