On Sun, Jun 17, 2007 at 03:38:15PM +0100, Robert Hogan wrote:
>
> If the extension for reporting the remote address and port in stream
> events is adopted, it would be great if the address and port of dns
> requests could be informative, rather than '(null):0'.
>
> Testing this patch revealed the source of some odd dns requests TorK
> frequently reported when my system's requests were all routed to tor's
> dnsport. I was quite concerned about them at first, they were slews of
> invalid requests like
>
> 650 STREAM 40 CLOSED 12 ng.invalid:0 REASON=DONE SOURCE_ADDR=192.168.1.2:33767
> 650 STREAM 43 CLOSED 12 cixub22dxb3axlhj.com:0 REASON=DONE
> SOURCE_ADDR=192.168.1.2:33768
> 650 STREAM 50 CLOSED 12 ingd6oyrd.org:0 REASON=DONE
> SOURCE_ADDR=192.168.1.2:33767
I've applied this patch too. Thanks!
Two points to note:
1) These requests are made by a Tor server to check for DNS
hijacking. (Some jerk DNS providers like to helpfully remap all
NEXIST replies into advertising sites. Tor detects this, works
around it, and calls these providers mean names.)
2) It isn't a good idea to have a Tor client be the DNS server for a
Tor server. I wonder what we can do to prevent this from
happening.
peace,
--
Nick Mathewson
Attachment:
pgpo2SDmD8R3Y.pgp
Description: PGP signature