* on the Fri, Jun 27, 2014 at 12:48:27PM +0100, Steven Murdoch wrote: >> I know that when the TBB connects to a 'normal' .com or .org or >> whatever address then the DNS resolution is done by the exit node. >> There is no need anymore (not for several years now) for the client >> to set-up DNS manually (as used to be the case with Polipo >> or Privoxy). >> >> However, how does DNS work for .onion? I assume that each exit node >> understands how to route traffic for all .onion addresses? How does >> it know how to direct the client request? > > For .onion addresses, DNS is not used. Your Tor client receives a > SOCKS connect request for a .onion address and recognises it as a > hidden service request. Your Tor client then performs the > hidden-service rendezvous procedure, including looking up the current > introduction point in the hidden service distributed hash table (as > your traffic never leaves the Tor network, there's no exit > node involved). There is an exception to this rule. If you use DNSPort + TransPort + VirtualAddrNetwork + AutomapHostsOnResolve, Tor provides a DNS resolver. And if you perform an A/AAAA record lookup for a .onion domain against that DNS resolver, then it will pick a unique IP address from a pool you specified (10.0.0.0/8 or similar) and return that. It will then remember the Onion->IP mapping. It is then your job to intercept connections to those IPs on your router and forward them to the host/port specified in TransPort. Tor will see those connections and figure out the hidden service you're trying to connect to by reversing the Onion->IP mapping that it provided earlier during the DNS lookup. This is why any device on my LAN can talk to hidden services, without having to install Tor on each of them, albeit less securely than if they all had Tor installed locally of course. -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk