[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Bug: improperly bound listen addresses?



     On Wed, 6 Aug 2008 14:50:17 -0400 grarpamp <grarpamp@xxxxxxxxx> wrote:
>> I don't know of any way to tell the resolver routines to bind
>> only to a particular network interface for sending their queries.
>
>Not possible as of yet. But likely moot...
>
>> AFAIK, tor uses the resolver library, so adding a command line/torrc
>> option like you're asking for would have no effect.
>
>sockstat/netstat always shows tor as having a connection tacked up
>to the DNS servers specified in resolv.conf. I wasn't seeing any
>gethostby* calls as other applications do, so I poked around...
>
>eventdns.c
>    2098 _evdns_nameserver_add_impl(u32 address, int port) {
>    2117         ns->socket = socket(PF_INET, SOCK_DGRAM, 0);
>    2131         if (connect(ns->socket, (struct sockaddr *) &sin,
>
>So I stuck this right before 2131:
> printf("CONNECTevdns2131: %s\n", debug_ntoa(address));
>and get:
> CONNECTevdns2131: <nameserver_ip_from_resolv_conf> 53
>
>Looks to me like a standalone DNS client implementation, bypassing
>the resolver, no? ... Then me, not being great with C, might suggest

     Okay.  However, one of us is confused:  you keep referring to a
connection, yet the code you quoted above shows socket() called specifying
SOCK_DGRAM, which means UDP, a connectionless protocol.  named listens
on both the TCP port and the UDP port, but nearly all its traffic is UDP.
IBM mainframe systems are the only ones I've ever seen use TCP for everything
involving the DNS.  On UNIX systems, dig(1) and nslookup(1) use TCP for AXFR
zone transfers, IIRC, and presumably named itself does for zone transfers, but
I doubt anything else does (except maybe some crackers' code).

>replacing the:
>
>socket [dgram] --> connect [remote]
> call order from the above with:
>socket [dgram] --> bind [local] --> connect [remote]
>
>That 'bind [local]' would honor a new -DNSClientAddress option.
>And optionally a new -DNSClientPort option. And since the name
>'resolv.conf' confusingly implies use of the normal system resolver
>routines, some clarity regarding its actual usage could be added
>to the docs.
>
>I know about -DNSPort, -DNSListenAddress, that isn't part of the
>above. Though -ServerDNS* are related to it.
>
>Feel free to slap me with a wet fish if I'm being way off base and
>clueless here :) But I'm wearing pretty strong deodorant now.
>
     Perhaps we could get Nick's and Roger's thoughts on that.  My guess,
though, is that their plates may still be overflowing with far higher
priority issues, though perhaps it could be added to the wish list for
the (probably far) future.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************