Add remote addr/port to conn of dns request
Nick Mathewson
nickm at freehaven.net
Sun Jun 17 16:56:31 UTC 2007
On Sun, Jun 17, 2007 at 05:40:05PM +0100, Robert Hogan wrote:
> On Sunday 17 June 2007 17:01:44 Nick Mathewson wrote:
> > On Sun, Jun 17, 2007 at 03:38:15PM +0100, Robert Hogan wrote:
> >[.]
> >
> > I've applied this patch too. Thanks!
> >
> > Two points to note:
> >
> > 1) These requests are made by a Tor server to check for DNS
> > hijacking. (Some jerk DNS providers like to helpfully remap all
> > NEXIST replies into advertising sites. Tor detects this, works
> > around it, and calls these providers mean names.)
> >
>
> Sure, but I think a log message stating the 'domains' being queried
> would help settle a few nerves. Bizarre-looking DNS queries are just
> the sort of thing Tor users might expect from a snooper.
No argument there. I was just explaining where those requests come
from.
>
> > 2) It isn't a good idea to have a Tor client be the DNS server for a
> > Tor server. I wonder what we can do to prevent this from
> > happening.
> >
> > peace,
>
> Do you mean that it is a bad idea to force a tor server's un-proxied dns
> requests through tor with all-encompassing netfilter rules such as
>
> iptables -t nat -I OUTPUT 1 -o ! lo -p udp -m udp --dport 53 -j
> DNAT --to-destination 127.0.0.1:9999 -m comment --comment "Redirect UDP DNS
> Requests to Tor" ?
>
> This does seem a bit stupid on the face of it, though I'm not clear whether
> it's actually dangerous or just wasteful.
Well, remember how it's _supposed_ to work. A client wants the answer
to a DNS request, so it sends an anonymized request to a server. The
server does a DNS lookup, and sends the reply back to the client.
But if the server's DNS lookup goes back into Tor (acting as a
client), then the request gets answered by _another_ server, which
tells the second Tor client, which tells the first server, which tells
the client.
The biggest problems here are:
- Latency doubles (or worse, if the second Tor server is also
configured like this.)
- If everybody does it, DNS on Tor will fail completely.
yrs,
--
Nick Mathewson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 652 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20070617/629ee0ba/attachment.pgp>
More information about the tor-dev
mailing list