Hi
Imagine a router that want to only whitelist the IP addresses that
Torbrowser needs to work. What IPs would it need (for start up and
browsing) ?
* Guards
During normal operation after bootstrapping.
For bootstrapping.
As of 0.2.8.1-alpha, each release has a different list of fallback directory mirrors.
If they're not whitelisted, initial bootstrap will be delayed for around 10 seconds, then tor will try an authority.
* HSDir flagged relays (?)
Shouldn't be required, all connections go through a 3-hop circuit that starts at a guard.
and would such a whitelisting of IPs even work?
Yes, this kind of whitelisting of addresses used by tor worked quite well when I was testing the fallback directory mirror and IPv6 client bootstrap features. (I would block or allow certain addresses, then make sure tor behaved sensibly.)
At least I think DNS can
be ignored as it is routed over Tor too.
Server DNS names are sent to the Tor Client as part of the SOCKS 5 protocol.
The Tor Client sends the server name to the Exit.
Then DNS resolution is performed by the Exit.
So technically, there are no DNS packets until the Exit queries its DNS servers for the server name provided by the client.
Tim