[tor-bugs] #25874 [Obfuscation/Snowflake]: DNS-based rendezvous for Snowflake

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Apr 20 21:44:37 UTC 2018


#25874: DNS-based rendezvous for Snowflake
-----------------------------------+------------------------
 Reporter:  dcf                    |          Owner:  (none)
     Type:  project                |         Status:  new
 Priority:  Medium                 |      Milestone:
Component:  Obfuscation/Snowflake  |        Version:
 Severity:  Normal                 |     Resolution:
 Keywords:                         |  Actual Points:
Parent ID:                         |         Points:
 Reviewer:                         |        Sponsor:
-----------------------------------+------------------------

Comment (by dcf):

 For testing purposes, I set up snowflake-broker.bamsoftware.com to be the
 authoritative nameserver for the subdomain test.bamsoftware.com. (I think;
 I'm not too good at this DNS stuff.) There is no responder running there
 yet, but you can use tcpdump on the broker to watch requests arrive:
 {{{
 tcpdump -n -X port 53
 }}}

 Then, from somewhere else, try a normal DNS query. In the tcpdump you
 should see requests arrive from your ISP's recursive nameserver.
 {{{
 dig message${RANDOM}.test.bamsoftware.com
 }}}

 Here is sample Python 2 code for doing requests over the 1.1.1.1 DNS-over-
 HTTPS server.
 {{{
 #!/usr/bin/env python

 NAME = "whatever.test.bamsoftware.com"

 from scapy.all import *
 import base64
 import requests

 # https://developers.cloudflare.com/1.1.1.1/dns-over-https/wireformat
 /#using-post
 print("POST application/dns-udpwireformat")
 udpwireformat = str(DNS(rd=True, qd=DNSQR(qtype="A", qname=NAME)))
 r = requests.post("https://1.1.1.1/dns-query",
     headers = {
         "Accept": "application/dns-udpwireformat",
         "Content-Type": "application/dns-udpwireformat",
     },
     data = udpwireformat,
 )
 DNS(r.content).show()

 # https://developers.cloudflare.com/1.1.1.1/dns-over-https/wireformat
 /#using-get
 print("POST application/dns-udpwireformat")
 udpwireformat = str(DNS(rd=True, qd=DNSQR(qtype="A", qname=NAME)))
 r = requests.get("https://1.1.1.1/dns-query",
     params = {
         "dns": base64.urlsafe_b64encode(udpwireformat),
         "ct": "application/dns-udpwireformat",
     },
 )
 DNS(r.content).show()

 # https://developers.cloudflare.com/1.1.1.1/dns-over-https/json-format/
 print("GET application/dns-json")
 r = requests.get("https://1.1.1.1/dns-query",
     params = {
         "name": NAME,
         "type": "A",
         "ct": "application/dns-json",
     },
 )
 print r.text
 }}}

 If you run this, you will see requests arrive at the broker and responses
 come back with `rcode=server-failure`, which is expected because there's
 nothing running at snowflake-broker.bamsoftware.com:53 yet.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25874#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list