[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #8215 [Tor]: Simple Relay: random unknown UDP port in listen mode
#8215: Simple Relay: random unknown UDP port in listen mode
-----------------------------+------------------------------
Reporter: elgo | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone: Tor: unspecified
Component: Tor | Version:
Resolution: | Keywords: tor-relay dns
Actual Points: | Parent ID:
Points: |
-----------------------------+------------------------------
Comment (by nickm):
Replying to [comment:11 arma]:
[...]
> > - Why does a Tor relay need to do DNS lookups at all?
>
> If a Tor client wants to visit cnn.com, she can't very well do the dns
resolve herself -- otherwise anybody watching her network would know where
she will soon anonymously go. So she sends "cnn.com" to the exit relay,
which resolves it and connects.
Cypherpunks might be asking "why does a [non-exit] relay need to do DNS
lookups". The answer is that they don't need to do DNS lookups for users
at all -- and they refuse any requests that users make. The only lookups
that were still happening were self-testing lookups, which we just fixed
with the patch to bug #965.
I wonder if the #965 fix (which will go into 0.2.5.3-alpha) is sufficient
to make us stop opening the UDP ports entirely. If not, another fix is in
order.
> > - If Tor actually needs to do its own DNS lookups, shouldn't it be
using a randomized source port for every query? (Otherwise it is
relatively trivial to send it spoofed answers, no?)
>
> I hope it does. Please check.
I don't think we do; we use a hypervigilant version of the 0x20 trick
instead. (We randomize case in outgoing requests, and treat a reply with
correct port and trans_id but mismatched case as indicating an error, and
cancel the request.)
I tried getting the randomized source port trick to work once, but the
usual way of doing it would run exit nodes out of sockets pretty fast on
hosts like OSX that are slow to release ports.
I'd be glad to take a patch for evdns in libevent, if we can limit the
number of sockets to something less than "an unbounded number".
> > - Is it bad that my Tor relay where I just noticed this port (leading
me to find this ticket) can only make TCP connections? It seems to be
relaying traffic nonetheless, but now I'm worried perhaps I'm failing
circuits to relays which only have DNS names in their descriptors? (Do
such relays exist?)
>
> If you're a non-exit relay, it's ok because typically clients will never
ask you to do dns resolves for them. If you're an exit relay, yes it's
bad.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8215#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs