DNS

Nick Mathewson nickm at alum.mit.edu
Tue Oct 1 22:57:05 UTC 2002


On Tue, 2002-10-01 at 17:18, Roger Dingledine wrote:
> On Tue, Oct 01, 2002 at 02:24:16PM +0100, Andrei Serjantov wrote:
 [...]
> One possible approach is to distribute a socksified bind (or equivalent),
> so people run a local nameserver that knows how to query over tor.

If it's desirable for DNS queries to get resolved at the last OR, here's
one way to do it and still work with applications that try to resolve
DNS locally.  [I didn't make this up, but I can't remember where I've
seen it before.]

Users run a local nameserver that doesn't actually do DNS queries. 
Instead, it hands out randomly generated IP addresses in some unused
address space, and remembers which hostname it associated with which
IP.  Later, when the socks4 proxy sees one of these addresses, it
re-maps it to the original hostname.

For example, suppose Alice types "http://www.apple.com/" into her
(socks4) web browser.  The web browser asks the local DNS server to
resolve "www.apple.com".  The local server answers, "10.0.2.99" (not
Apple's real address).  Next, the web browser asks Tor (as a socks4
server) to open a connection to 10.0.2.99:80  Instead, Tor remembers
that "10.0.2.99" is really www.apple.com, and creates an anonymous
connection.

This approach has two flaws, as far as I can see:
 1) Applications that do not use the tor proxy must not use the faked-up
    DNS server.  Not all operating systems make it easy for different 
    applications to user different DNS servers.

 2) There are security implications if we ever recycle IP addresses.
    Suppose that addresses are handed out in the range 1.0.0.0-   
    1.0.255.255.  If Alice gets apple.com=10.0.2.99, Bob had better not 
    be able to replace the 10.0.2.99-->apple.com mapping by flooding the
    DNS server with requests. (I don't know much DNS, but I think we 
    can solve this by setting TTL very low.  Nonetheless, broken 
    applications that cache DNS records and ignore TTL will still be 
    vulnerable.)

HTH,
-- 
Nick



More information about the tor-dev mailing list