Thanks for the explanation of the DNS requests. Perhaps this could be put in a sort of "technical details" section on the wiki.<br><br>
<div><span class="gmail_quote">On 5/4/06, <b class="gmail_sendername">Joseph B Kowalski</b> <<a href="mailto:jbk@hush.ai">jbk@hush.ai</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br>On Thu, 04 May 2006 15:41:34 -0700 Roger Dingledine <
<a href="mailto:arma@mit.edu">arma@mit.edu</a>><br>wrote:<br>>On Thu, May 04, 2006 at 02:14:05PM -0700, Joseph B Kowalski wrote:<br>>> 1) It is clear that the Tor network only handles TCP traffic and<br>>> not UDP, which is, of course, what standard DNS lookup requests
<br>>> use (UDP). So, when directing DNS lookup requests into the Tor<br>>> network (whether by setting the network.proxy.socks_remote_dns<br>>> flag in Firefox or using Privoxy or whatever), is the application
<br>>> or proxy (Firefox or Privoxy, in this example) handing the DNS<br>>> lookup request to the Tor client using TCP already, or does the<br>>> Tor client translate the UDP DNS lookup request into a TCP DNS
<br>>> lookup request before passing to the first OR (entry node)?<br>><br>>Socks4a and socks5-with-remote-lookup actually hands the fqdn (aka<br>>hostname) to the socks proxy. Tor in turn hands it to the exit
<br>>node. The exit node does a DNS resolve however it sees fit. Then<br>>in the response cell inside the Tor network (either "connected" or<br>>"end"), the exit node includes the IP address that it found for
<br>>that hostname. This way the Tor client can cache it for next time,<br>>saving future exit nodes from needing to resolve it, and also<br>>allowing the client to compare it to exit policies (which are<br>>written in terms of IP addresses, not in terms of hostnames,
<br>>see faq for why).<br>><br>>> 2) Once the DNS lookup request reaches the exit node, does the<br>>> exit node perform a standard UDP DNS lookup using it's<br>>> configured nameservers, or does it do it using a TCP DNS
<br>>> lookup?<br>><br>>Standard DNS lookup, however the local system is configured to do<br>>it.<br>><br>>> 3) Is it necessary to allow traffic to port 53 in the exit<br>>> policy of an OR in order for that OR to perform DNS lookups
<br>>> on the behalf of client requests?<br>><br>>No. All Tor nodes, including nodes with an exit policy of reject<br>>*:*, are willing to do DNS resolves for people. Of course, clients<br>>will try to pick nodes that would allow their connection to exit,
<br>>so they will tend to avoid using the reject *:* ones -- but when<br>>using our extension to socks to do dns resolves directly (see<br>><a href="http://tor.eff.org/cvs/tor/doc/socks-extensions.txt">http://tor.eff.org/cvs/tor/doc/socks-extensions.txt
</a>) the Tor<br>>client is fine picking a reject-all node, since no traffic will<br>>actually be exiting.<br>><br>>> I know that common sense appears to suggest that this is so,<br>>> but I couldn't find anything in the documentation stating if
<br>>> DNS lookups are just something all exit nodes handle<br>>> automatically and by default, or if only exit nodes configured<br>>> to allow outbound traffic to port 53 allow them.<br>><br>>Can you suggest some place in the documentation that you would
<br>>expect to find these answers? It feels like we already have too<br>>many docs, but obviously there's lots more to say too.<br>><br>>Hope that helps,<br>>--Roger<br><br><br>Hi Roger,<br><br><br>Your reply is very clear and very helpful. Thank you for taking
<br>the time to compose it.<br><br>You are right that there is a lot of documentation. For what it's<br>worth, I feel that it is generally very helpful and quite<br>comprehensive. This may be the first series of questions on Tor
<br>that I havn't been able to find answers to myself, either in the<br>documentation or in previous mailing-list posts. I know I could<br>have looked through the source to find the answers to my<br>questions, but figured asking would be a bit easier.
<br><br>If I were to suggest a place in the documentation to cover this<br>area, I think that a good place might possibly be in the<br>"Tor Technical FAQ Wiki"<br>(<a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ">
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ</a>),<br>possibly in section 4 (Running a Tor client), adding a new FAQ<br>right after question number 17. It might be titled "How does<br>Tor handle DNS lookup requests?".
<br><br>Of course, what is intuitive for me may not be for others, and<br>you could easily make things quite complex by trying to decide<br>what pieces of the pertinent information apply to clients, what<br>pieces apply to server operators, making appropriate entries in
<br>the respective sections, etc. Such is part of the challenge in<br>clearly documenting something very technical, I suppose.<br><br>Once again, thank you for your answers, and a big thank you to<br>you and everyone else who has put so much work into making Tor
<br>work.<br><br><br>Best regards,<br><br><br><br>Joe Kowalski<br>PGP Key ID: 0xA96A2EE0<br><br>-----BEGIN PGP SIGNATURE-----<br>Note: This signature can be verified at <a href="https://www.hushtools.com/verify">https://www.hushtools.com/verify
</a><br>Version: Hush 2.5<br><br>wkYEARECAAYFAkRamUwACgkQQ4RaO6lqLuA86wCgsLND+dX1YxjWHIvNCtqkp70iYFgA<br>oLUwIP1nwFsXR4ZdGeYSJfdhCR1b<br>=CUDn<br>-----END PGP SIGNATURE-----<br><br><br></blockquote></div><br>