Thanks this is very useful information.
# Tor defines a new command value, \x0f, that is used for
domain
# resolution.
self._send_all("\x05\xf0\x00\x03%s%s%s" % (chr(domain_len), domain, "\x00\x00"))
Exitmap uses the SOCKS 5, resolve, DNS command: See page 4 of https://www.ietf.org/rfc/rfc1928.txt The SOCKS request is formed as follows:
+----+-----+-------+------+----------+----------+ |VER | CMD | RSV | ATYP | DST.ADDR | DST.PORT | +----+-----+-------+------+----------+----------+ | 1 | 1 | X'00' | 1 | Variable | 2 | +----+-----+-------+------+----------+----------+
so in above python code the values are:
ver = \x05 cmd = \xf0 ("RESOLVE") - custom tor extension not in RFC rsv = \x00 atyp = \x03 (domain) dst.addr = domain variable dst.port = \x00\x00
from https://gitweb.torproject.org/torspec.git/tree/socks-extensions.txt#n49
- Name lookup
As an extension to SOCKS4A and SOCKS5, Tor implements a new command value, "RESOLVE" [F0]. When Tor receives a "RESOLVE" SOCKS command, it initiates a remote lookup of the hostname provided as the target address in the SOCKS request. The reply is either an error (if the address couldn't be resolved) or a success response. In the case of success, the address is stored in the portion of the SOCKS response reserved for remote IP address.
(We support RESOLVE in SOCKS4 too, even though it is unnecessary.)
For SOCKS5 only, we support reverse resolution with a new command value, "RESOLVE_PTR" [F1]. In response to a "RESOLVE_PTR" SOCKS5 command with an IPv4 address as its target, Tor attempts to find the canonical hostname for that IPv4 record, and returns it in the "server bound address" portion of the reply. (This command was not supported before Tor 0.1.2.2-alpha.)
The spec leaves multiple open questions:
- What does "initiates a remote lookup of the hostname" mean? The spec could be improved by saying "A" or/and "AAAA" DNS lookup is performed.
- There is no information about the response in torspec.git/tree/socks-extensions.txt at all?
Resolve can return an IPv4 or IPv6 response, but Exitmap ignores the address type, and turns the first 4 bytes of the response into an IPv4 address.
I modified exitmap to print the entire response in case the ATYP field is set to 04 (meaning the response contains an IPv6 address) but the response is not any longer and contains only the first 4 bytes of the IPv6 address.
Running tor 0.3.5.8.
Has this bug been fixed in later versions of tor or current master?