[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] exitmap/RESOLVE control command limitations




On July 9, 2019 8:55:00 AM UTC, nusenu <nusenu-lists@xxxxxxxxxx> wrote:
>Hi,
>
>I noticed some unexpected answers in exitmap's [1] dnsenum results
>and suspected that this has todo with IPv4 vs. IPv6.
>
>First I looked at [2] and found that it only lists IPv4 and hostnames
>as possible answers but then I realized that exitmap might not be using
>the RESOLVE command?

Exitmap is using tor's RESOLVE extension to SOCKS:
https://gitweb.torproject.org/torspec.git/tree/socks-extensions.txt#n49

>>     def resolve(self, domain):
>>         """
>>         Resolve the given domain using Tor's SOCKS1 resolution
>extension.
>>         """
>> 
>>         domain_len = len(domain)
>>         if domain_len > 255:
>>             raise error.SOCKSv5Error("Domain must not be longer than
>255 "
>>                                      "characters, but %d given." %
>domain_len)
>> 
>>         # Tor defines a new command value, \x0f, that is used for
>domain
>>         # resolution.
>> 
>>         self._send_all("\x05\xf0\x00\x03%s%s%s" %
>>                      (chr(domain_len), domain, "\x00\x00"))

Exitmap uses the SOCKS 5, resolve, DNS command:
See page 4 of https://www.ietf.org/rfc/rfc1928.txt

>> 
>>         resp = self._recv_all(10)
>>         if resp[:2] != "\x05\x00":
>>             raise error.SOCKSv5Error("Invalid server response: 0x%s"
>%
>>                                      resp[1].encode("hex"))

Resolve can return an IPv4 or IPv6 response, but Exitmap ignores the address type, and turns the first 4 bytes of the response into an IPv4 address.

>>         return socket.inet_ntoa(resp[4:8])
>
>
>Does Tor's SOCKS resolution extension support IPv6 answers
>or does it only attempt A records?

If it gets both IPv4 and IPv6, I think it will prefer IPv4.

Try testing with ipv6.google.com, which only has an IPv6 address.

>I'm aiming to resolve a hostname and would like to get 
>the IPv4 and if available the IPv6 address.

I don't know how you can reliably get the IPv6 address over SOCKS, when the site has an IPv4 address.

Try using the controller RESOLVE command and ADDRMAP event, which supports IPv6:

Address = ip4-address / ip6-address / hostname

If that doesn't work, we might need to make some changes to tor, or fix some bugs.

>thanks,
>nusenu
>
>
>[1] https://github.com/NullHypothesis/exitmap
>[2]
>https://gitweb.torproject.org/torspec.git/tree/control-spec.txt#n1349


--
teor
----------------------------------------------------------------------
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev