[tor-relays] What IPs does Torbrowser need?

[Tim Wilson-Brown - teor]

> On 16 Mar 2016, at 01:28, Martin Kepplinger <martink at posteo.de> wrote:
> 
> Hi
> 
> Imagine a router that want to only whitelist the IP addresses that
> Torbrowser needs to work. What IPs would it need (for start up and
> browsing) ?
> 
> * Guards

During normal operation after bootstrapping.

> * Authorities

For bootstrapping.

As of 0.2.8.1-alpha, each release has a different list of fallback directory mirrors.
If they're not whitelisted, initial bootstrap will be delayed for around 10 seconds, then tor will try an authority.

> * HSDir flagged relays (?)

Shouldn't be required, all connections go through a 3-hop circuit that starts at a guard.

> and would such a whitelisting of IPs even work?

Yes, this kind of whitelisting of addresses used by tor worked quite well when I was testing the fallback directory mirror and IPv6 client bootstrap features. (I would block or allow certain addresses, then make sure tor behaved sensibly.)

> At least I think DNS can
> be ignored as it is routed over Tor too.

Server DNS names are sent to the Tor Client as part of the SOCKS 5 protocol.
The Tor Client sends the server name to the Exit.
Then DNS resolution is performed by the Exit.

So technically, there are no DNS packets until the Exit queries its DNS servers for the server name provided by the client.

Tim

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B

teor at blah dot im
OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160320/340085ee/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160320/340085ee/attachment-0001.sig>