prevent tor accepting dns requests on dnsport initiated by itself

Nick Mathewson nickm at
Fri Jun 22 15:52:48 UTC 2007

On Thu, Jun 21, 2007 at 10:53:08PM +0100, Robert Hogan wrote:
> This would also prevent the user resolving a dns request if it
> coincided exactly with the very same request by tor. I don't know
> how likely this would be in practice - I certainly haven't been
> quick enough on the draw.

I think this is actually a dangerous idea.  We separate the client DNS
cache from the server DNS cache for a reason: if you're using a Tor
instance as both a client and a server, it's a good idea to keep the
client's behavior more or less uncorrelated by the server's.

Here's an attack: I have a server that doesn't see much usage at  You have a non-exit Tor host.  I suspect that you're
connecting to my server.  I control the DNS for, so I
whenever your Tor server asks for the address of I give
you IP1.  (If it never asks, I can resolve
a lot.)  When any other server asks, I give them IP2.  If I see
anybody connect to IP1, I know that it's probably your client peeking
inside the server DNS.

There are probably easier attacks here too.

Nick Mathewson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 652 bytes
Desc: not available
URL: <>

More information about the tor-dev mailing list