[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

torify and dns via nsswitch - PATCH

To: Jacob Appelbaum <jacob@xxxxxxxxxxxxx>, Peter Palfrader <weasel@xxxxxxxxxx>, or-dev@xxxxxxxx
Subject: torify and dns via nsswitch - PATCH
From: "Wesley W. Terpstra" <wesley@xxxxxxxxxxx>
Date: Wed, 17 Feb 2010 15:50:07 +0100
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-dev-outgoing@xxxxxxxx
Delivered-to: or-dev@xxxxxxxx
Delivery-date: Wed, 17 Feb 2010 09:50:12 -0500
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-dev@xxxxxxxxxxxxx

I'm not certain who maintains the torify tsocks wrapper, so apologies
if this is misdirected.

The use of torify with programs like wget is quite nice. However, it
leaks dns requests. One approach I hacked together is to create an
nsswitch.conf compatible module that performs DNS lookups using Tor
whenever an environment variable TOR_NSS is set. This way the torify
wrapper just sets the TOR_NSS and tsocks environement variables and
things work (TM).

I understand that tsocks can redirect dns requests to tcp and then
redirect these out to Tor. This approach suffers from a few problems
AFAICS:
1. You need a list of DNS servers that support open recursive requests
OR you need to perform the entire lookup starting from route servers
over Tor (ie: very slow)
2. Tor doesn't see the DNS lookup and so gives warnings about dns leakage
3. Tor doesn't see the DNS lookup so the caching + new identity stuff
doesn't work
4. It's inappropriate to do this for any application other that Tor,
and so isn't included in the default debian build of tsocks.

Using my nsswitch module it is as though every time gethostbyname is
run, tor-resolve gets called. This means:
1. DNS exits from a Tor node which can use it's local DNS -> faster
2. Tor has full control over the DNS cache / etc

There is a downside: installing the module into nsswitch.conf means
that every program that uses gethostbyname will need to load
libtor_nss.so.2 (though they won't use it). However, they already need
to load 4+ such libraries on a typical debian system and
libtor_nss.so.2 is especially small.

How it works: nsswitch.conf describes what steps to take when
resolving a host name. By putting a Tor specific module before dns, we
can capture any calls to gethostbyname that would otherwise leak. The
module provides gethostbyname by using the SOCKS5 RESOLVE capability
of the Tor daemon.

Issues: I didn't implement reverse DNS,  but this would be easy to add.

I hereby place this code in the public domain. If it's useful to the
Tor project, do with it whatever you like. I'm open to suggestions
about ways to improve it.

Attachment: nss-tor-0.1.tar.gz
Description: GNU Zip compressed data

Prev by Author: Re: Idea: Using the SPDY protocol to improve Tor performance
Previous by thread: Re: Bridge stability
Next by thread: [PATCH] contrib/tor-exit-notice.html url fix
Index(es):
- Author
- Thread