[tor-talk] DNSSEC validation over Tor with unbound&socat (Linux alpha howto)

Ondrej Mikle ondrej.mikle at gmail.com
Sat Jan 14 06:44:14 UTC 2012


Hi,

after a reviewer wrote on addons.mozilla.org that DNSSEC Validator add-on leaks 
DNS (because it does direct queries), I've been looking how to hack around SOCKS 
and Tor resolver deficiencies.

I've tried ttdnsd first, but it did not get along well with unbound (unbound was 
complaining about bad packets). After trying couple other tunneling tools, 
finally socat did the trick.

Here's the howto:

https://labs.nic.cz/page/993/dnssec-validation-over-tor--linux-/


Unfortunately, the original objective of fixing DNSSEC Validator add-on to not 
leak DNS queries did not 100% succeed. Firefox has 
"@mozilla.org/network/dns-service;1" API which will leak DNS even if 
"network.proxy.socks_remote_dns" is set to true.

If I understand it correctly, it's because in SOCKS5 protocol one can specify 
FQDN of host to connect to, but can't perform the "simple DNS query" itself. 
Thus there is no way to fix the FF API (short of setting torified resolver in 
/etc/resolv.conf or some LD_PRELOAD hacks to use torified resolver).

DNSSEC Validator add-on needs the mentioned dns-service FF API to check if IPs 
seen by FF are the same as IPs in signed/validated response.

I've noticed FireFTP and FireSSH devs fixed some (similar?) DNS-leak issues. 
I've checked their git repos in case I could use their fixes, but the fixes seem 
not to have been pushed out publicly yet.

So if anyone has an idea how to work around the dns-service API, that would be 
great.


Ondrej


More information about the tor-talk mailing list