[tor-bugs] #8215 [Tor]: Simple Relay: random unknown UDP port in listen mode

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Mar 1 14:51:47 UTC 2014 

#8215: Simple Relay: random unknown UDP port in listen mode
-----------------------------+------------------------------
     Reporter:  elgo         |      Owner:
         Type:  enhancement  |     Status:  reopened
     Priority:  normal       |  Milestone:  Tor: unspecified
    Component:  Tor          |    Version:
   Resolution:               |   Keywords:  tor-relay dns
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+------------------------------

Comment (by arma):

 Replying to [comment:10 cypherpunks]:
 >  - Why does Tor do its own DNS lookups, instead of using the system's
 resolver?

 The system's resolver, typically accessed through gethostbyname(),
 typically blocks while getting its answer. To use it without itself
 blocking, Tor would have to spawn separate threads, each of which blocks
 while getting its answer, and then queue up requests for the farm of
 dnsworkers so it doesn't launch hundreds or even thousands of threads in
 parallel. (Also, on systems where gethostbyname is not reentrant, it needs
 to spawn separate *processes*, not just threads.)

 Tor actually used to do exactly this. It was no fun, so when Adam Langley
 wrote up some great asynchronous dns client code, we used it.

 >  - Why does a Tor relay need to do DNS lookups at all?

 If a Tor client wants to visit cnn.com, she can't very well do the dns
 resolve herself -- otherwise anybody watching her network would know where
 she will soon anonymously go. So she sends "cnn.com" to the exit relay,
 which resolves it and connects.

 >  - If Tor actually needs to do its own DNS lookups, shouldn't it be
 using a randomized source port for every query? (Otherwise it is
 relatively trivial to send it spoofed answers, no?)

 I hope it does. Please check.

 >  - Is it bad that my Tor relay where I just noticed this port (leading
 me to find this ticket) can only make TCP connections? It seems to be
 relaying traffic nonetheless, but now I'm worried perhaps I'm failing
 circuits to relays which only have DNS names in their descriptors? (Do
 such relays exist?)

 If you're a non-exit relay, it's ok because typically clients will never
 ask you to do dns resolves for them. If you're an exit relay, yes it's
 bad.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8215#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list