[tor-bugs] #30796 [Core Tor]: ClientDNSRejectInternalAddresses inteferes with ClientRejectInternalAddresses=1

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jun 7 01:22:56 UTC 2019 

#30796: ClientDNSRejectInternalAddresses inteferes with
ClientRejectInternalAddresses=1
-------------------------------------------------+-------------------------
 Reporter:  smherwig                             |          Owner:  (none)
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Component:  Core
                                                 |  Tor
  Version:  Tor: 0.4.0.5                         |       Severity:  Normal
 Keywords:  ClientDNSRejectInternalAddresses,    |  Actual Points:
  ClientRejectInternalAddresses                  |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
 I'm using tor-0.4.05.

 In the onion proxy's torcc, I set

 {{{
 ClientRejectInternalAddresses 0
 MapAddress 127.0.0.1 127.0.0.1.FINGERPRINT.exit
 MapAddress localhost localhost.FINGERPRINT.exit
 UseMicrodescriptors 0
 }}}

 and on my exit node:

 {{{
 ExitRelay 1
 ExitRelayRejectPrivate 0
 ExitPolicy accept private:8080-8090
 ExitPolicy reject *:*
 }}}

 If I then issue a request through the OP to get a page served by a
 webserver running locally on the exit node

 {{{
 curl --socks4 127.0.0.1:9050 http://127.0.0.1:8080/index.html
 }}}

 the OP's socks server says the connection is not permitted.  Specifically,
 `core/or/relay.c:1347` denies the connection and logs
 "connection_edge_process_relay_cell_not_open(0: ...but it claims the IP
 address was 127.0.0.1".

 Also not that per the `tor.1` manpage, and more specifically, enforced in
 `app/config/config.c:4420`, `ClientDNSRejectInternalAddresses` cannot be
 set to `0` when using the production Tor network.

 In other words, the enforcement of `ClientDNSRejectInternalAddresses` is
 being applied when no DNS request is actually made, and, moreover,
 interferes with the `ClientRejectInternalAddresses` and `MapAddress`
 configuration.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30796>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list