[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
From: Ondrej Mikle <ondrej.mikle@xxxxxxxxx>
Date: Thu, 26 Jan 2012 22:42:53 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 26 Jan 2012 16:43:10 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :x-enigmail-version:content-type:content-transfer-encoding; bh=XAYQrXDV+FBqvJoJ7SSg5Zr3Q7ec/PbfbAlZKVg3edA=; b=HY2nCNlD8lSQkfRwTft0O0uucTU9kFfFmt4md+bdVllTT4rrjV1YOT8L/1YVH+zKVB pbysVtdVWcNdTc0VW/Et+DQMilvABwGg2MnToSSN0C/VyT8raSqFl4EPS7vnHDjBUg2O 4MYENxnHggK6ReyjS5Um8cAuuqKGKFUQ7Yrjg=
List-archive: <http://lists.torproject.org/pipermail/tor-dev>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for discussion by the developers of Tor." <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1

Hi,

I decided to give it a shot in implementing full DNS/DNSSEC resolution support
for Tor, here's the branch:

https://github.com/hiviah/tor

ATM the biggest limitation is that reply DNS packet must fit in a single cell
(i.e. max size is RELAY_PAYLOAD_SIZE).

How it's implemented:

There's new command SOCKS_COMMAND_RESOLVE_FULL for SOCKS interface and new cells
RELAY_COMMAND_RESOLVE(D)_FULL. The RESOLVE_FULL cell contains query string and
RR-type, RESOLVED_FULL just the DNS packet in wire format.

Resolving is implemented via libunbound on the relay's side, ldns parses packet
on client's side.

The tor-resolve now uses the new SOCKS command and accepts -t parameter with
RR-type (numeric, default 1 - RR-type 'A'), e.g.:

./src/tools/tor-resolve -t 28 lupa.cz localhost:10050

Packet size: 319
Flags: qr: 1, aa: 0, tc: 0, rd: 1, cd: 0, ra: 1, ad: 1
-- Rcode: NOERROR
-- Opcode: QUERY
-- Question section
lupa.cz.	IN	AAAA
-- Answer section
lupa.cz.	600	IN	AAAA	2001:67c:68::7b
lupa.cz.	600	IN	RRSIG	AAAA 5 2 600 20121022235305 20111023235305 8130 lupa.cz.
wFdVqKCEh4Nmac3v5K9y6HT+aIBAtF4Q9QIqHjlAl/ljp4m5TKkgKCF083zFTMh0LqfwdODfQdSNTKAwO55hyw==
-- Authority section
lupa.cz.	600	IN	NS	ns.iinfo.cz.
lupa.cz.	600	IN	NS	ns6.adminit.cz.
lupa.cz.	600	IN	RRSIG	NS 5 2 600 20121022235305 20111023235305 8130 lupa.cz.
SpqkpBlK1dzrfACHh3yfUp01Vr/w9qzVYQms4RDXNQZW1Hwr5WYMHIuGrFEgOOrjyg1vB01HENXJf4i2ISx51g==
-- Additional section


Other implementation notes:
- some checks like whether private address is resolved are missing (also a
whitelist of allowed RR-types might be implemented)
- in the SOCKS5 request, RR-type is hacked onto port number
- in SOCKS5 reply, high byte of length is hacked onto SOCKS5 reserved byte
- libunbound supports async resolving, for now synchronous is used
- there are more details, grep FIXDNS in code
- Makefile.am's have -lldns and -lunbound hardwired
- new code may not be pretty at some places (getting to know Tor code)


Also, this seems to be a bug in
relay.c:connection_edge_process_relay_cell_not_open(), the
RELAY_COMMAND_RESOLVED case:

    answer_len = cell->payload[RELAY_HEADER_SIZE+1];
    if (rh->length < 2 || answer_len+2>rh->length) {...}

Payload is accessed before checking bounds.


Ondrej
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
  - From: Roger Dingledine
- Re: [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
  - From: Roger Dingledine
- Re: [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
  - From: Watson Ladd

Prev by Author: Re: [tor-dev] Tor and DNS
Next by Author: Re: [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
Previous by thread: Re: [tor-dev] Windows Alternative of torsocks/tsocks ?
Next by thread: Re: [tor-dev] DNS/DNSSEC resolving in Tor (PoC implementation)
Index(es):
- Author
- Thread