[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Add remote addr/port to conn of dns request



If the extension for reporting the remote address and port in stream events is 
adopted, it would be great if the address and port of dns requests could be 
informative, rather than '(null):0'.

Testing this patch revealed the source of some odd dns requests TorK 
frequently reported when my system's requests were all routed to tor's 
dnsport. I was quite concerned about them at first, they were slews of 
invalid requests like

650 STREAM 40 CLOSED 12 ng.invalid:0 REASON=DONE SOURCE_ADDR=192.168.1.2:33767
650 STREAM 43 CLOSED 12 cixub22dxb3axlhj.com:0 REASON=DONE 
SOURCE_ADDR=192.168.1.2:33768
650 STREAM 50 CLOSED 12 ingd6oyrd.org:0 REASON=DONE 
SOURCE_ADDR=192.168.1.2:33767
650 STREAM 45 CLOSED 12 fo6a2vccbqa.net:0 REASON=DONE 
SOURCE_ADDR=192.168.1.2:33768
650 STREAM 44 CLOSED 12 jtxsrvaiz42o.org:0 REASON=DONE 
SOURCE_ADDR=192.168.1.2:33767
650 STREAM 41 CLOSED 12 6ob.test:0 REASON=DONE SOURCE_ADDR=192.168.1.2:33768

Turns out the source was... tor!

Proto Recv-Q Send-Q Local Address           Foreign Address         State       
PID/Program name
udp        0      0 192.168.1.2:10025       159.134.237.6:53        
ESTABLISHED -
udp        0      0 192.168.1.2:33767       159.134.237.6:53        
ESTABLISHED 9370/tor
udp        0      0 192.168.1.2:33768       159.134.248.17:53       
ESTABLISHED 9370/tor

The reason for these requests is obvious enough, in hindsight, but I think a 
log event admitting to the user that these requests originate from tor would 
be helpful. It would certainly keep paranoid-but-a-bit-dim users like myself 
from thinking there was some sort of dns snooping trojan afoot. (Since the 
user, like me, might assume that these are happening even when dnsport is 
turned off and that forcing dns requests through tor has revealed the 
possibly naughty behaviour of another application.)


Index: src/or/dnsserv.c
===================================================================
--- src/or/dnsserv.c    (revision 10632)
+++ src/or/dnsserv.c    (working copy)
@@ -23,6 +23,7 @@
   struct evdns_server_question *q = NULL;
   struct sockaddr_storage addr;
   struct sockaddr *sa;
+  struct sockaddr_in *sin;
   int addrlen;
   uint32_t ipaddr;
   int err = DNS_ERR_NONE;
@@ -48,10 +49,11 @@
     log_warn(LD_APP, "Requesting address wasn't ipv4.");
     evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
     return;
-  } else {
-    struct sockaddr_in *sin = (struct sockaddr_in*)&addr;
-    ipaddr = ntohl(sin->sin_addr.s_addr);
   }
+
+  sin = (struct sockaddr_in*)&addr;
+  ipaddr = ntohl(sin->sin_addr.s_addr);
+
   if (!socks_policy_permits_address(ipaddr)) {
     log_warn(LD_APP, "Rejecting DNS request from disallowed IP.");
     evdns_server_request_respond(req, DNS_ERR_REFUSED);
@@ -112,6 +114,11 @@
   /* Make a new dummy AP connection, and attach the request to it. */
   conn = TO_EDGE_CONN(connection_new(CONN_TYPE_AP, AF_INET));
   conn->_base.state = AP_CONN_STATE_RESOLVE_WAIT;
+
+  TO_CONN(conn)->addr = ntohl(sin->sin_addr.s_addr);
+  TO_CONN(conn)->port = ntohs(sin->sin_port);
+  TO_CONN(conn)->address = tor_dup_addr(TO_CONN(conn)->addr);
+
   if (q->type == EVDNS_TYPE_A)
     conn->socks_request->command = SOCKS_COMMAND_RESOLVE;
   else

-- 

Browse Anonymously Anywhere	- http://anonymityanywhere.com
TorK	- KDE Anonymity Manager	- http://tork.sf.net
KlamAV	- KDE Anti-Virus 	- http://www.klamav.net