Re: prevent tor accepting dns requests on dnsport initiated by itself

[Robert Hogan <robert@xxxxxxxxxxxxxxx>]

On Friday 22 June 2007 16:52:48 Nick Mathewson wrote:
> On Thu, Jun 21, 2007 at 10:53:08PM +0100, Robert Hogan wrote:
> > This would also prevent the user resolving a dns request if it
> > coincided exactly with the very same request by tor. I don't know
> > how likely this would be in practice - I certainly haven't been
> > quick enough on the draw.
>
> I think this is actually a dangerous idea.  We separate the client DNS
> cache from the server DNS cache for a reason: if you're using a Tor
> instance as both a client and a server, it's a good idea to keep the
> client's behavior more or less uncorrelated by the server's.
>

Sorry, I don't get it!

I don't think any mixing of the caches takes place here. The patch prevents a 
Tor server from resolving DNS requests when a broken system configuration 
routes them all back to its own DNSPort. In this situation the tor server 
will always be unable to resolve anything and the server admin will be warned 
accordingly.

If the same Tor instance is being used as a client then the only occasion in 
which an application's requests (e.g. from firefox) will fail is if it 
happens to request the exact same dns resolve at precisely the same moment 
the server's same dns request is in progress. Otherwise its requests, even 
for the same hostname, will be successfully routed over the tor network.

I don't believe a failure of the client request in the above situation will 
result in a cache hit (server or client), the request will just fail and the 
app will try again or give up.

> Here's an attack: I have a server that doesn't see much usage at
> evil-nick.com.  You have a non-exit Tor host.  I suspect that you're
> connecting to my server.  I control the DNS for evil-nick.com, so I
> whenever your Tor server asks for the address of evil-nick.com I give
> you IP1.  (If it never asks, I can resolve evil-nick.com.yourhost.exit
> a lot.)  When any other server asks, I give them IP2.  If I see
> anybody connect to IP1, I know that it's probably your client peeking
> inside the server DNS.
>

My understanding of the patch is: 

In the case where all DNS requests are looping back into Tor's DNSPort  the 
server will never get IP1 or IP2 since all it's dns requests will fail. The 
client meanwhile will either get IP2 (request routed over tor network) or 
will also fail and get nothing.

In the case where the system is properly configured and the server's requests 
are not proxied but the client's arrive at the DNSPort, the server will 
always get IP1 and the client will always get IP2. If client and server 
request evil-nick.com at the exact same moment, the server will get IP1 and 
the client will receive DNS_ERR_REFUSED.


> There are probably easier attacks here too.



-- 

Browse Anonymously Anywhere	- http://anonymityanywhere.com
TorK	- KDE Anonymity Manager	- http://tork.sf.net
KlamAV	- KDE Anti-Virus 	- http://www.klamav.net