[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: ff 1.5.0.7 & 2.0 (remote) dns leaks when using tor

To: or-talk@xxxxxxxxxxxxx
Subject: Re: ff 1.5.0.7 & 2.0 (remote) dns leaks when using tor
From: Roger Dingledine <arma@xxxxxxx>
Date: Sun, 19 Nov 2006 04:15:18 -0500
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Sun, 19 Nov 2006 04:16:18 -0500
In-reply-to: <455E47E4.30202@yahoo.de>
References: <4559EFD6.8090200@yahoo.de> <20061116110645.GA5369@fscked.org> <455E47E4.30202@yahoo.de>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.9i

(Just got back in town, am starting to plow through my mail)

On Fri, Nov 17, 2006 at 03:38:12PM -0800, lester psigal wrote:
> > Well, just so you don't feel that everyone is ignoring you, I'll voice
> > most of our reactions: *shock*, *eyes popping*. Woops, time to turn
> > privoxy back on (use HTTP proxy port 8118 and don't list anything in
> > the SOCKS line).

Actually, as far as I know, you should list at least http, https,
and socks. The reason is that some plugins look at one proxy setting,
and some look at others. And alas, some plugins don't look at any,
which might be what you're experiencing.

> what i've forgot to mention that my installation of firefox uses
> torbutton 1.0.4 which is a firefox add-on preconfiguring the proxy
> settings for the vidalia bundle, that is http/s: localhost:8118
> and  socksv5 localhost:9050.
> that's alright so far.

It "shouldn't" be Torbutton's fault. That's not to say it isn't, but if I
were looking for a problem, Torbutton would be pretty far down on my list.
It just changes Firefox's configuration, after all.

> i was wondering if i got a special problem with my installation or if
> that is a problem of a more general type, but according to the  feedback
> and other (non-existent) postings it must be a special one, or perhaps a
> lot of people are thinking they surf anonymously but still leak their
> dns requests...

Might well be. We need to test-and-document all configuration
combinations, with all the weird extra software that people use. I
would bet there are a wide variety of seemingly ok combinations that
are actually bad. Plus, there are many seemingly bad combinations that
people don't realize might be bad. :)

> anyway, i've tried to solve the problem more systematically:
> i've cleared the cache, tried some web addresses and checked the
> ethereal logs and it turns out that with the
> settings mentioned above on each url a local udp dns request occurs,
> while the tor log reads:
> -
> Nov 16 14:07:08:052 [Notice] fetch_from_buf_socks(): Your application
> (using socks4a on port 80) gave Tor a hostname, which means Tor will do
> the DNS resolve for you. This is good.
> -
> one log entry for each request privoxy makes.

Looks good. These are coming from privoxy, which uses socks4a.

> this must be wrong because i'm using mozilla thunderbird with the
> torbutton  add-on too (same settings). over here no local dns lookup occurs
> and the tor log entry reads:
> -
> Nov 16 14:26:24:434 [Notice] fetch_from_buf_socks(): Your application
> (using socks5 on port 995) gave Tor a hostname, which means Tor will do
> the DNS resolve for you. This is good.
> -
> which means thunderbird connects directly to the tor client and speaks
> socks v5 (and not socks 4a !). the dns query is resolved via the
> circuit as intended...

Yep. Your thunderbird is talking pop3s, which is not http, so it can't use
the http proxy setting. This is an example of one of the applications I
mentioned above. So if you leave your socks proxy line blank, Thunderbird
will go out directly, even if your http/https proxies are set.

> so i was expecting that firefox does the same: first resolve the dns
> name via the socks 5 tor client and then retrieve the http/s content via
> privoxy/tor...

No, I believe your Thunderbird never does any http/https content,
at least not in the examples you've pasted.

> also, i've recognized that the local dns queries are occuring when there
> is an direct user interaction with the browser like entering an url,
> selecting a bookmark, clicking a link etc. while requests from websites
> (when loading a page) seem to be resolved remotely (they do not show up
> in the ethereal logs but are requested in privoxy and log'ged by tor).
> unfortunately, i don't know if ff resolves dns by an own internal
> resolver thread or by delegating to the system which makes the whole
> thing worse.

My first guess is that you have some other firefox plugin installed that
does a dns lookup for everything you type. What other plugins/extensions
do you have?

--Roger

Follow-Ups:
- Re: ff 1.5.0.7 & 2.0 (remote) dns leaks when using tor
  - From: John Kimble
- Re: ff 1.5.0.7 & 2.0 (remote) dns leaks when using tor
  - From: lester psigal

References:
- ff 1.5.0.7 & 2.0 (remote) dns leaks when using tor
  - From: lester psigal
- Re: ff 1.5.0.7 & 2.0 (remote) dns leaks when using tor
  - From: Mike Perry
- Re: ff 1.5.0.7 & 2.0 (remote) dns leaks when using tor
  - From: lester psigal

Prev by Author: Re: TorPark (was Re: Win32.Trojan.Agent appear when close Torpark)
Next by Author: Re: still slow browsing
Previous by thread: Re: ff 1.5.0.7 & 2.0 (remote) dns leaks when using tor
Next by thread: Re: ff 1.5.0.7 & 2.0 (remote) dns leaks when using tor
Index(es):
- Author
- Thread