[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Is this a Tor exit node connecting to me?



Hi all,


When Roger sent out that email about the Google summer of code 
thing, I took a look at the Volunteer page 
(http://tor.eff.org/volunteer.html.en) and one item caught my 
interest: Item #3 under "Coding and Design". 

To quote from the page:

[We need an official central site to answer "Is this IP address a 
Tor exit server?" questions. This should provide several 
interfaces, including a web interface and a DNSBL-style interface. 
It can provide the most up-to-date answers by keeping a local 
mirror of the Tor directory information. The tricky point is that 
being an exit server is not a boolean: so the question is actually 
"Is this IP address a Tor exit server that can exit to my IP 
address:port?" The DNSBL interface will probably receive hundreds 
of queries a minute, so some smart algorithms are in order. Bonus 
points if it does active testing through each exit node to find out 
what IP address it's really exiting from.]

For greater depth on the subject, see this page: 
http://tor.eff.org/svn/trunk/doc/contrib/torbl-design.txt

So anyways, I have implemented a Tor DNSBL server interface. The 
address of the DNSBL is "tor.dnsbl.nighteffect.us".

Here are some details on how to use it:

==============================================

The DNSBL server responds to two different types of 'A' record 
queries:

1) The first type is to simply provide an answer as to whether a 
given IP is an active Tor server or not. So, assuming the DNSBL 
domain name is 'tor.dnsbl.nighteffect.us', and you want to check if 
IP '1.2.3.4' is a Tor server, you would send the following 'A' 
record query:

4.3.2.1.tor.dnsbl.nighteffect.us

Note that the octets of the IP address have been reversed, like a 
PTR record, only this is an 'A' request.

If '1.2.3.4' is an active Tor server, the DNSBL server will respond 
with a '127.0.0.2' 'A' record. If '1.2.3.4' is NOT an active Tor 
server, the DNSBL server will respond with a 'Non-Existent Domain 
(NXDOMAIN)' error.

2) The second query type provides an answer for the question "Is 
this IP an active Tor server, and, if so, would it's exit policy 
allow an exit to this destination IP and port?" So, assuming the 
DNSBL domain name is
'tor.dnsbl.nighteffect.us', and you want to check if IP '1.2.3.4' 
is an active Tor server capable of exiting to '55.66.77.88', on 
port 60000, you would send the following 'A' record query:

4.3.2.1.60000.88.77.66.55.tor.dnsbl.nighteffect.us

If '1.2.3.4' is an active Tor server, AND if that Tor server can 
exit to
'55.66.77.88', port 60000, the DNSBL server will respond with a 
'127.0.0.2' 'A' record. If '1.2.3.4' is NOT an active Tor server, 
or if '1.2.3.4' IS an active Tor server, but is using an exit 
policy that would prevent exit to '55.66.77.88', port 60000, the 
DNSBL server will respond with a 'Non-Existent Domain (NXDOMAIN)' 
error.


The DNSBL server will always respond with an NXDOMAIN error if a 
client tries to lookup anything outside of the DNSBL domain name. 
So, if a client sends an 'A' request for 'www.google.com', the 
DNSBL server will return an NXDOMAIN error.

The DNSBL server will set the 'Authoritative' flag to true for 
responses that are within it's root domain name, and will set it to 
false for responses that are outside of it.

==============================================

If you're still cloudy on why this is useful, please refer to this 
link:
http://tor.eff.org/svn/trunk/doc/contrib/torbl-design.txt

This has been implemented as part of my TorNetworkStatus site, so 
the source code for both the site and the DNSBL server are 
available at:

https://nighteffect.us

Currently, the database is updated with fresh info every 5 minutes.

I've also put up a web interface to do these kinds of lookups:
https://nighteffect.us/tns/tor_exit_query.php


Hopefully somebody finds this useful.


Best regards,


Joe Kowalski