[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Squid Proxy Causes Unavoidable DNS Leaks

* ADB (firefox-gen@xxxxxxxxxx) wrote:
> Sounds complicated. If it can be done effectively, I'd put it on the 
> wiki just for the heck of it, but would NOT recommend doing any of this 
> stuff as standard configuration policy (it's just not worth the time, 
> effort, and risks if you screw up).
> ~ADB
> 
> Jack Cummings wrote:
> 
> >On Mon, Sep 12, 2005 at 11:53:04AM -0400, u-281@xxxxxxx wrote:
> >
> > 
> >
> >>Squid can be compiled with the option --disable-internal-dns, and 
> >>configured to
> >>use an external dns server (dnsserver).  I think replacing the line
> >>gethostbyname in dnsserver.c by something like 
> >>spawnv("/usr/bin/tor-resolve",
> >>buf, localhost:9050, NULL); could do it to use tor network for dns 
> >>requests. Then one could grab the result from tor-resolve and send it 
> >>back to dnsserver. I'm not that fluent in C to accomplish this, but it 
> >>seems to be a viable
> >>solution.
> >>   
> >>
> >
> >I made a sh wrapper around tor-resolve that outputs something that looks 
> >like
> >the output of dnsserver:
> >
> >--
> >[jack@needle:jack]$ cat /opt/pkg/squid/libexec/tor-dnsserver
> >#!/bin/sh
> >while read addr
> >do
> >       r=$(tor-resolve $addr)
> >       echo "\$addr 0 $r"
> >done
> >--
> >
> >And in the squid.conf file:
> >
> >--
> >...
> >cache_dns_program /opt/pkg/squid/libexec/tor-dnsserver
> >#cache_dns_program /opt/pkg/squid/libexec/dnsserver
> >dns_children 5
> >...
> >--
> >
> >as a first pass, it works, although it does not properly handle failed DNS
> >requests.

Ok, nice work Jack!  Clever!  It works just fine for most of the requests. 

It won't handle reverse DNS requests too as tor-resolve doesn't support it.
I thought using dnsserver for it.  Untested:

#!/bin/sh
shopt -s extglob
while read host
do
        if [[ "$host" != +([0-9])\.+([0-9])\.+([0-9])\.+([0-9]) ]]
        then
	    # normal dns
            r=$(tor-resolve $host localhost:9055)
	    if [[ "$r" != +([0-9])\.+([0-9])\.+([0-9])\.+([0-9]) ]]
	    then
		# error reported by tor-resolve, let dnsserver handle it
	        echo "$host" | dnsserver
	    else
		# handled properly by tor-resolve
                echo "\$addr 0 $r"
	    fi
        else
	    # reverse dns, let dnsserver handle it
            echo "$host" | dnsserver
        fi
done

For error handling, tor-resolve will report them:

  if (len < RESPONSE_LEN) {
    log_fn(LOG_WARN,"Truncated socks response.");
    return -1;
  }
  if (((uint8_t)response[0])!=0) { /* version: 0 */
    log_fn(LOG_WARN,"Nonzero version in socks response: bad format.");
    return -1;
  }
  status = (uint8_t)response[1];
  if (get_uint16(response+2)!=0) { /* port: 0 */
    log_fn(LOG_WARN,"Nonzero port in socks response: bad format.");
    return -1;
  }
  if (status != 90) {
    log_fn(LOG_WARN,"Got status response '%d': socks request failed.", status);
    return -1;
  }

My suggestion would be in case tor-resolve reports an error, to resend the
request to dnsserver and let it handle it.