[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] tor's SOCKS5 extension "RESOLVE"



Thanks this is very useful information.

>>> # Tor defines a new command value, \x0f, that is used for
>> domain
>>> # resolution.
>>> 
>>> self._send_all("\x05\xf0\x00\x03%s%s%s" % (chr(domain_len),
>>> domain, "\x00\x00"))
> 

> Exitmap uses the SOCKS 5, resolve, DNS command: See page 4 of
> https://www.ietf.org/rfc/rfc1928.txt The SOCKS request is formed as
> follows:
> 
> +----+-----+-------+------+----------+----------+ |VER | CMD |  RSV
> | ATYP | DST.ADDR | DST.PORT | 
> +----+-----+-------+------+----------+----------+ | 1  |  1  | X'00'
> |  1   | Variable |    2     | 
> +----+-----+-------+------+----------+----------+

so in above python code the values are:

ver = \x05
cmd = \xf0 ("RESOLVE") - custom tor extension not in RFC
rsv = \x00
atyp = \x03 (domain)
dst.addr = domain variable
dst.port = \x00\x00


from https://gitweb.torproject.org/torspec.git/tree/socks-extensions.txt#n49
> 2. Name lookup
> 
> As an extension to SOCKS4A and SOCKS5, Tor implements a new command
> value, "RESOLVE" [F0].  When Tor receives a "RESOLVE" SOCKS command,
> it initiates a remote lookup of the hostname provided as the target
> address in the SOCKS request.  The reply is either an error (if the
> address couldn't be resolved) or a success response.  In the case of
> success, the address is stored in the portion of the SOCKS response
> reserved for remote IP address.
> 
> (We support RESOLVE in SOCKS4 too, even though it is unnecessary.)
> 
> For SOCKS5 only, we support reverse resolution with a new command
> value, "RESOLVE_PTR" [F1]. In response to a "RESOLVE_PTR" SOCKS5
> command with an IPv4 address as its target, Tor attempts to find the
> canonical hostname for that IPv4 record, and returns it in the
> "server bound address" portion of the reply. (This command was not
> supported before Tor 0.1.2.2-alpha.)

The spec leaves multiple open questions:

- What does "initiates a remote lookup of the hostname" mean?
The spec could be improved by saying "A" or/and "AAAA" DNS lookup is performed.

- There is no information about the response in torspec.git/tree/socks-extensions.txt at all?

> Resolve can return an IPv4 or IPv6 response, but Exitmap ignores the
> address type, and turns the first 4 bytes of the response into an
> IPv4 address.

I modified exitmap to print the entire response in case the ATYP field is set to 04 (meaning the
response contains an IPv6 address) but
the response is not any longer and contains only the first 4 bytes of the IPv6 address.

Running tor 0.3.5.8.

Has this bug been fixed in later versions of tor or current master?

 


-- 
https://twitter.com/nusenu_
https://mastodon.social/@nusenu

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev