[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How does DNS work with .onion addresses?



Thank you for your informative response.


>>>For .onion addresses, DNS is not used. Your Tor client receives a SOCKS 
connect request for a .onion >>>address and recognises it as a hidden 
service request. Your Tor client then performs the hidden-service 
>>>rendezvous procedure, including looking up the current introduction 
point in the hidden service distributed >>>hash table (as your traffic 
never leaves the Tor network, there's no exit node involved). 

I should have read the Tor Project documentation about hidden services first.

I take your point: the client requests the .onion address, goes to the distributed hash table in the directory server, learns where the introduction nodes are for that .onion address, and sets up a rendez-vous point. Hence, as you point out, all is done within the Tor network and hence there is no need for DNS resolution.


> Is it possible for DNS to leak with .onion?

>>>There
 are people who survey DNS, and they report that there are quite a lot 
of requests for .onion. Some of >>>these are people clicking on .onion 
links without Tor, but some could be the result of DNS leaks.

I would hope that if one is using the TBB then such leakage would not occur.



On Friday, June 27, 2014 2:12 PM, Mike Cardwell <tor@xxxxxxxxxxxxxxxxxx> wrote:
 


* on the Fri, Jun 27, 2014 at 12:48:27PM +0100, Steven Murdoch wrote:


>> I know that when the TBB connects to a 'normal' .com or .org or
>> whatever address then the DNS resolution is done by the exit node.
>> There is no need anymore (not for several years now) for the client
>> to set-up DNS manually (as used to be the case with Polipo
>> or Privoxy).
>> 
>> However, how does DNS work for .onion?  I assume that each exit node
>> understands how to route traffic for all .onion addresses? How does
>> it know how to direct the client request?
> 
> For .onion addresses, DNS is not used. Your Tor client receives a
> SOCKS connect request for a .onion address and recognises it as a
> hidden service request. Your Tor client then performs the
> hidden-service rendezvous procedure, including looking up the current
> introduction point in the hidden service distributed hash table (as
> your traffic never leaves the Tor network, there's no exit
> node involved).

There is an exception to this rule. If you use DNSPort + TransPort +
VirtualAddrNetwork + AutomapHostsOnResolve, Tor provides a DNS resolver.
And if you perform an A/AAAA record lookup for a .onion domain against
that DNS resolver, then it will pick a unique IP address from a pool you
specified (10.0.0.0/8 or similar) and return that. It will then remember
the Onion->IP mapping. It is then your job to intercept connections to
those IPs on your router and forward them to the host/port specified in
TransPort. Tor will see those connections and figure out the hidden
service you're trying to connect to by reversing the Onion->IP mapping
that it provided earlier during the DNS lookup.

This is why any device on my LAN can talk to hidden services, without
having to install Tor on each of them, albeit less securely than if
they all had Tor installed locally of course.

-- 
Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk