[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Does the Tor DNS transparent proxy code use clients nameservers?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] Does the Tor DNS transparent proxy code use clients nameservers?
From: Rob van der Hoeven <robvanderhoeven@xxxxxxxx>
Date: Wed, 25 Oct 2017 22:42:06 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 25 Oct 2017 16:42:24 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi Folks,

I'm testing a small single-program transproxy program that I wrote (not
released yet). This program forwards DNS requests to the DNSPort of the
Tor daemon. During my tests I noticed something that worries me. 

With my program I can basically redirect network traffic from any
program to the DNSPort/TransPort of the Tor daemon. For fun I tried: 

dig hoevenstein.nl 

To my surprise I got an answer from one of the nameservers in my own
resolv.conf. It looks like the exit node blindly uses the nameserver
from the original request. Can anyone confirm this?

I checked with wireshark, and no DNS queries are leaving my system,
also the query time indicates the request was done using the Tor
network.

Leaking a users nameserver looks dangerous to me.
Can someone shine a light on this?

Rob.
https://hoevenstein.nl

=====================================
Here are the result of my experiment:
=====================================

rob@jessie:~$ aorta -t dig hoevenstein.nl

RUNNING dig hoevenstein.nl

; <<>> DiG 9.10.3-P4-Debian <<>> hoevenstein.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61683
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;hoevenstein.nl.			IN	A

;; ANSWER SECTION:
hoevenstein.nl.		3600	IN	A	94.211.74
.2

;; Query time: 178 msec
;; SERVER: 89.101.251.228#53(89.101.251.228)
;; WHEN: Wed Oct 25 21:39:03 CEST 2017
;; MSG SIZE  rcvd: 48

AORTA CLOSED ...

rob@jessie:~$ cat /etc/resolv.conf
# Generated by NetworkManager
search dynamic.ziggo.nl
nameserver 89.101.251.228
nameserver 89.101.251.229

Without using Tor:
==================

rob@jessie:~$ dig hoevenstein.nl

; <<>> DiG 9.10.3-P4-Debian <<>> hoevenstein.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17152
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;hoevenstein.nl.			IN	A

;; ANSWER SECTION:
hoevenstein.nl.		3600	IN	A	94.211.74
.2

;; Query time: 16 msec
;; SERVER: 89.101.251.228#53(89.101.251.228)
;; WHEN: Wed Oct 25 21:46:28 CEST 2017
;; MSG SIZE  rcvd: 59

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Does the Tor DNS transparent proxy code use clients nameservers?
  - From: Allen

Prev by Author: [tor-talk] Need a stable .onion address hosted by the Tor project.
Next by Author: Re: [tor-talk] Need a stable .onion address hosted by the Tor project.
Previous by thread: Re: [tor-talk] a security and stability update
Next by thread: Re: [tor-talk] Does the Tor DNS transparent proxy code use clients nameservers?
Index(es):
- Author
- Thread