[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: prevent tor accepting dns requests on dnsport initiated by itself

To: or-dev@xxxxxxxxxxxxx
Subject: Re: prevent tor accepting dns requests on dnsport initiated by itself
From: Robert Hogan <robert@xxxxxxxxxxxxxxx>
Date: Wed, 27 Jun 2007 21:16:05 +0100
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-dev-outgoing@xxxxxxxx
Delivered-to: or-dev@xxxxxxxx
Delivery-date: Wed, 27 Jun 2007 16:16:26 -0400
In-reply-to: <20070627161822.GW31770@xxxxxxxxxxxxxxxxxx>
References: <200706212253.10004.robert@xxxxxxxxxxxxxxx> <200706231308.33786.robert@xxxxxxxxxxxxxxx> <20070627161822.GW31770@xxxxxxxxxxxxxxxxxx>
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-dev@xxxxxxxxxxxxx
User-agent: KMail/1.9.6

On Wednesday 27 June 2007 17:18:22 Nick Mathewson wrote:
<snip>
>
> Hmmm. I really _don't_ like the idea of making good client DNS break
> _ever_, even if it's hard to provoke on your machine.  After all, if
> users see this in practice, it's not likely that they'll even know to
> report it as a bug, since it would be intermittent and hard to prove.
>
> Could it be simpler just to add a function to eventdns.c to make sure
> none of the nameservers are going to the addr:port of our dnsport?
>

A lot simpler. Revised patch attached.

Index: src/or/dnsserv.c
===================================================================
--- src/or/dnsserv.c	(revision 10664)
+++ src/or/dnsserv.c	(working copy)
@@ -103,6 +103,11 @@
   if (err == DNS_ERR_NONE && strlen(q->name) > MAX_SOCKS_ADDR_LEN-1)
     err = DNS_ERR_FORMAT;
 
+  if (evdns_find_nameserver(sin->sin_addr.s_addr, sin->sin_port)) {
+    log_warn(LD_APP, "Rejecting DNS Request received on DNSPort from Tor.");
+    err = DNS_ERR_REFUSED;
+  }
+
   if (err != DNS_ERR_NONE) {
     /* We got an error?  Then send back an answer immediately; we're done. */
     evdns_server_request_respond(req, err);
Index: src/or/eventdns.c
===================================================================
--- src/or/eventdns.c	(revision 10664)
+++ src/or/eventdns.c	(working copy)
@@ -1983,6 +1983,26 @@
 
 // exported function
 int
+evdns_find_nameserver(u32 addr, u16 port)
+{
+	const struct nameserver *server = server_head;
+    struct sockaddr_in my_addr;
+    socklen_t my_addr_len = sizeof(my_addr);
+
+	if (!server)
+		return 0;
+	do {
+        if (getsockname(server->socket, (struct sockaddr*)&my_addr, &my_addr_len)) 
+            continue;
+        if (my_addr.sin_port == port && my_addr.sin_addr.s_addr == addr)
+            return 1;
+		server = server->next;
+	} while (server != server_head);
+	return 0;
+}
+
+// exported function
+int
 evdns_count_nameservers(void)
 {
 	const struct nameserver *server = server_head;
Index: src/or/eventdns.h
===================================================================
--- src/or/eventdns.h	(revision 10664)
+++ src/or/eventdns.h	(working copy)
@@ -260,6 +260,7 @@
 const char *evdns_err_to_string(int err);
 int evdns_nameserver_add(unsigned long int address);
 int evdns_count_nameservers(void);
+int evdns_find_nameserver(uint32_t addr, uint16_t port);
 int evdns_clear_nameservers_and_suspend(void);
 int evdns_resume(void);
 int evdns_nameserver_ip_add(const char *ip_as_string);

References:
- prevent tor accepting dns requests on dnsport initiated by itself
  - From: Robert Hogan
- Re: prevent tor accepting dns requests on dnsport initiated by itself
  - From: Robert Hogan
- Re: prevent tor accepting dns requests on dnsport initiated by itself
  - From: Nick Mathewson

Prev by Author: check for conflicting *Port directives
Next by Author: Re: Proposal: Distributed Storage for Tor Hidden Service Descriptors
Previous by thread: Re: prevent tor accepting dns requests on dnsport initiated by itself
Next by thread: check for conflicting *Port directives
Index(es):
- Author
- Thread