[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Add remote addr/port to conn of dns request

To: Robert Hogan <robert@xxxxxxxxxxxxxxx>
Subject: Re: Add remote addr/port to conn of dns request
From: Nick Mathewson <nickm@xxxxxxxxxxxxx>
Date: Sun, 17 Jun 2007 12:56:31 -0400
Cc: or-dev@xxxxxxxxxxxxx
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-dev-outgoing@xxxxxxxx
Delivered-to: or-dev@xxxxxxxx
Delivery-date: Sun, 17 Jun 2007 12:56:50 -0400
In-reply-to: <200706171740.05677.robert@xxxxxxxxxxxxxxx>
Mail-followup-to: Nick Mathewson <nickm@xxxxxxxxxxxxx>, Robert Hogan <robert@xxxxxxxxxxxxxxx>, or-dev@xxxxxxxxxxxxx
References: <200706171538.15791.robert@xxxxxxxxxxxxxxx> <20070617160144.GM16860@xxxxxxxxxxxxxxxxxx> <200706171740.05677.robert@xxxxxxxxxxxxxxx>
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-dev@xxxxxxxxxxxxx
User-agent: Mutt/1.4.2.1i

On Sun, Jun 17, 2007 at 05:40:05PM +0100, Robert Hogan wrote:
> On Sunday 17 June 2007 17:01:44 Nick Mathewson wrote:
> > On Sun, Jun 17, 2007 at 03:38:15PM +0100, Robert Hogan wrote:
> >[.]
> >
> > I've applied this patch too.  Thanks!
> >
> > Two points to note:
> >
> >   1) These requests are made by a Tor server to check for DNS
> >      hijacking.  (Some jerk DNS providers like to helpfully remap all
> >      NEXIST replies into advertising sites.  Tor detects this, works
> >      around it, and calls these providers mean names.)
> >
> 
> Sure, but I think a log message stating the 'domains' being queried
> would help settle a few nerves. Bizarre-looking DNS queries are just
> the sort of thing Tor users might expect from a snooper.

No argument there.  I was just explaining where those requests come
from.

> 
> >   2) It isn't a good idea to have a Tor client be the DNS server for a
> >      Tor server.  I wonder what we can do to prevent this from
> >      happening.
> >
> > peace,
> 
> Do you mean that it is a bad idea to force a tor server's un-proxied dns 
> requests through tor with all-encompassing netfilter rules such as
> 
> iptables -t nat -I OUTPUT 1 -o ! lo -p udp -m udp --dport 53 -j 
> DNAT --to-destination 127.0.0.1:9999 -m comment --comment "Redirect UDP DNS 
> Requests to Tor" ?
> 
> This does seem a bit stupid on the face of it, though I'm not clear whether 
> it's actually dangerous or just wasteful.

Well, remember how it's _supposed_ to work.  A client wants the answer
to a DNS request, so it sends an anonymized request to a server.  The
server does a DNS lookup, and sends the reply back to the client.

But if the server's DNS lookup goes back into Tor (acting as a
client), then the request gets answered by _another_ server, which
tells the second Tor client, which tells the first server, which tells
the client.

The biggest problems here are:
   - Latency doubles (or worse, if the second Tor server is also
     configured like this.)
   - If everybody does it, DNS on Tor will fail completely.

yrs,
-- 
Nick Mathewson

Attachment: pgpJuPvq3CEkW.pgp
Description: PGP signature

References:
- Add remote addr/port to conn of dns request
  - From: Robert Hogan
- Re: Add remote addr/port to conn of dns request
  - From: Nick Mathewson
- Re: Add remote addr/port to conn of dns request
  - From: Robert Hogan

Prev by Author: Re: Add remote addr/port to conn of dns request
Next by Author: Re: Add STREAM_EVENT_NEW for dns requests and tunneled connect_dir
Previous by thread: Re: Add remote addr/port to conn of dns request
Next by thread: Add STREAM_EVENT_NEW for dns requests and tunneled connect_dir
Index(es):
- Author
- Thread