Add remote addr/port to conn of dns request

Robert Hogan robert at
Sun Jun 17 16:40:05 UTC 2007

On Sunday 17 June 2007 17:01:44 Nick Mathewson wrote:
> On Sun, Jun 17, 2007 at 03:38:15PM +0100, Robert Hogan wrote:
> I've applied this patch too.  Thanks!
> Two points to note:
>   1) These requests are made by a Tor server to check for DNS
>      hijacking.  (Some jerk DNS providers like to helpfully remap all
>      NEXIST replies into advertising sites.  Tor detects this, works
>      around it, and calls these providers mean names.)

Sure, but I think a log message stating the 'domains' being queried would help 
settle a few nerves. Bizarre-looking DNS queries are just the sort of thing 
Tor users might expect from a snooper.

>   2) It isn't a good idea to have a Tor client be the DNS server for a
>      Tor server.  I wonder what we can do to prevent this from
>      happening.
> peace,

Do you mean that it is a bad idea to force a tor server's un-proxied dns 
requests through tor with all-encompassing netfilter rules such as

iptables -t nat -I OUTPUT 1 -o ! lo -p udp -m udp --dport 53 -j 
DNAT --to-destination -m comment --comment "Redirect UDP DNS 
Requests to Tor" ?

This does seem a bit stupid on the face of it, though I'm not clear whether 
it's actually dangerous or just wasteful.


Browse Anonymously Anywhere	-
TorK	- KDE Anonymity Manager	-
KlamAV	- KDE Anti-Virus 	-

More information about the tor-dev mailing list