Add remote addr/port to conn of dns request
Robert Hogan
robert at roberthogan.net
Sun Jun 17 16:40:05 UTC 2007
On Sunday 17 June 2007 17:01:44 Nick Mathewson wrote:
> On Sun, Jun 17, 2007 at 03:38:15PM +0100, Robert Hogan wrote:
>[.]
>
> I've applied this patch too. Thanks!
>
> Two points to note:
>
> 1) These requests are made by a Tor server to check for DNS
> hijacking. (Some jerk DNS providers like to helpfully remap all
> NEXIST replies into advertising sites. Tor detects this, works
> around it, and calls these providers mean names.)
>
Sure, but I think a log message stating the 'domains' being queried would help
settle a few nerves. Bizarre-looking DNS queries are just the sort of thing
Tor users might expect from a snooper.
> 2) It isn't a good idea to have a Tor client be the DNS server for a
> Tor server. I wonder what we can do to prevent this from
> happening.
>
> peace,
Do you mean that it is a bad idea to force a tor server's un-proxied dns
requests through tor with all-encompassing netfilter rules such as
iptables -t nat -I OUTPUT 1 -o ! lo -p udp -m udp --dport 53 -j
DNAT --to-destination 127.0.0.1:9999 -m comment --comment "Redirect UDP DNS
Requests to Tor" ?
This does seem a bit stupid on the face of it, though I'm not clear whether
it's actually dangerous or just wasteful.
--
Browse Anonymously Anywhere - http://anonymityanywhere.com
TorK - KDE Anonymity Manager - http://tork.sf.net
KlamAV - KDE Anti-Virus - http://www.klamav.net
More information about the tor-dev
mailing list