[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Is this a Tor exit node connecting to me?
When Roger sent out that email about the Google summer of code
thing, I took a look at the Volunteer page
(http://tor.eff.org/volunteer.html.en) and one item caught my
interest: Item #3 under "Coding and Design".
To quote from the page:
[We need an official central site to answer "Is this IP address a
Tor exit server?" questions. This should provide several
interfaces, including a web interface and a DNSBL-style interface.
It can provide the most up-to-date answers by keeping a local
mirror of the Tor directory information. The tricky point is that
being an exit server is not a boolean: so the question is actually
"Is this IP address a Tor exit server that can exit to my IP
address:port?" The DNSBL interface will probably receive hundreds
of queries a minute, so some smart algorithms are in order. Bonus
points if it does active testing through each exit node to find out
what IP address it's really exiting from.]
For greater depth on the subject, see this page:
So anyways, I have implemented a Tor DNSBL server interface. The
address of the DNSBL is "tor.dnsbl.nighteffect.us".
Here are some details on how to use it:
The DNSBL server responds to two different types of 'A' record
1) The first type is to simply provide an answer as to whether a
given IP is an active Tor server or not. So, assuming the DNSBL
domain name is 'tor.dnsbl.nighteffect.us', and you want to check if
IP '18.104.22.168' is a Tor server, you would send the following 'A'
Note that the octets of the IP address have been reversed, like a
PTR record, only this is an 'A' request.
If '22.214.171.124' is an active Tor server, the DNSBL server will respond
with a '127.0.0.2' 'A' record. If '126.96.36.199' is NOT an active Tor
server, the DNSBL server will respond with a 'Non-Existent Domain
2) The second query type provides an answer for the question "Is
this IP an active Tor server, and, if so, would it's exit policy
allow an exit to this destination IP and port?" So, assuming the
DNSBL domain name is
'tor.dnsbl.nighteffect.us', and you want to check if IP '188.8.131.52'
is an active Tor server capable of exiting to '184.108.40.206', on
port 60000, you would send the following 'A' record query:
If '220.127.116.11' is an active Tor server, AND if that Tor server can
'18.104.22.168', port 60000, the DNSBL server will respond with a
'127.0.0.2' 'A' record. If '22.214.171.124' is NOT an active Tor server,
or if '126.96.36.199' IS an active Tor server, but is using an exit
policy that would prevent exit to '188.8.131.52', port 60000, the
DNSBL server will respond with a 'Non-Existent Domain (NXDOMAIN)'
The DNSBL server will always respond with an NXDOMAIN error if a
client tries to lookup anything outside of the DNSBL domain name.
So, if a client sends an 'A' request for 'www.google.com', the
DNSBL server will return an NXDOMAIN error.
The DNSBL server will set the 'Authoritative' flag to true for
responses that are within it's root domain name, and will set it to
false for responses that are outside of it.
If you're still cloudy on why this is useful, please refer to this
This has been implemented as part of my TorNetworkStatus site, so
the source code for both the site and the DNSBL server are
Currently, the database is updated with fresh info every 5 minutes.
I've also put up a web interface to do these kinds of lookups:
Hopefully somebody finds this useful.