[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How does DNS work with .onion addresses?

* on the Fri, Jun 27, 2014 at 12:48:27PM +0100, Steven Murdoch wrote:

>> I know that when the TBB connects to a 'normal' .com or .org or
>> whatever address then the DNS resolution is done by the exit node.
>> There is no need anymore (not for several years now) for the client
>> to set-up DNS manually (as used to be the case with Polipo
>> or Privoxy).
>> However, how does DNS work for .onion?  I assume that each exit node
>> understands how to route traffic for all .onion addresses? How does
>> it know how to direct the client request?
> For .onion addresses, DNS is not used. Your Tor client receives a
> SOCKS connect request for a .onion address and recognises it as a
> hidden service request. Your Tor client then performs the
> hidden-service rendezvous procedure, including looking up the current
> introduction point in the hidden service distributed hash table (as
> your traffic never leaves the Tor network, there's no exit
> node involved).

There is an exception to this rule. If you use DNSPort + TransPort +
VirtualAddrNetwork + AutomapHostsOnResolve, Tor provides a DNS resolver.
And if you perform an A/AAAA record lookup for a .onion domain against
that DNS resolver, then it will pick a unique IP address from a pool you
specified ( or similar) and return that. It will then remember
the Onion->IP mapping. It is then your job to intercept connections to
those IPs on your router and forward them to the host/port specified in
TransPort. Tor will see those connections and figure out the hidden
service you're trying to connect to by reversing the Onion->IP mapping
that it provided earlier during the DNS lookup.

This is why any device on my LAN can talk to hidden services, without
having to install Tor on each of them, albeit less securely than if
they all had Tor installed locally of course.

Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4

Attachment: signature.asc
Description: Digital signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to