On 16 Mar 2016, at 01:28, Martin Kepplinger martink@posteo.de wrote:
Hi
Imagine a router that want to only whitelist the IP addresses that Torbrowser needs to work. What IPs would it need (for start up and browsing) ?
- Guards
During normal operation after bootstrapping.
- Authorities
For bootstrapping.
As of 0.2.8.1-alpha, each release has a different list of fallback directory mirrors. If they're not whitelisted, initial bootstrap will be delayed for around 10 seconds, then tor will try an authority.
- HSDir flagged relays (?)
Shouldn't be required, all connections go through a 3-hop circuit that starts at a guard.
and would such a whitelisting of IPs even work?
Yes, this kind of whitelisting of addresses used by tor worked quite well when I was testing the fallback directory mirror and IPv6 client bootstrap features. (I would block or allow certain addresses, then make sure tor behaved sensibly.)
At least I think DNS can be ignored as it is routed over Tor too.
Server DNS names are sent to the Tor Client as part of the SOCKS 5 protocol. The Tor Client sends the server name to the Exit. Then DNS resolution is performed by the Exit.
So technically, there are no DNS packets until the Exit queries its DNS servers for the server name provided by the client.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F