prevent tor accepting dns requests on dnsport initiated by itself
robert at roberthogan.net
Sat Jun 23 12:08:33 UTC 2007
On Friday 22 June 2007 16:52:48 Nick Mathewson wrote:
> On Thu, Jun 21, 2007 at 10:53:08PM +0100, Robert Hogan wrote:
> > This would also prevent the user resolving a dns request if it
> > coincided exactly with the very same request by tor. I don't know
> > how likely this would be in practice - I certainly haven't been
> > quick enough on the draw.
> I think this is actually a dangerous idea. We separate the client DNS
> cache from the server DNS cache for a reason: if you're using a Tor
> instance as both a client and a server, it's a good idea to keep the
> client's behavior more or less uncorrelated by the server's.
Sorry, I don't get it!
I don't think any mixing of the caches takes place here. The patch prevents a
Tor server from resolving DNS requests when a broken system configuration
routes them all back to its own DNSPort. In this situation the tor server
will always be unable to resolve anything and the server admin will be warned
If the same Tor instance is being used as a client then the only occasion in
which an application's requests (e.g. from firefox) will fail is if it
happens to request the exact same dns resolve at precisely the same moment
the server's same dns request is in progress. Otherwise its requests, even
for the same hostname, will be successfully routed over the tor network.
I don't believe a failure of the client request in the above situation will
result in a cache hit (server or client), the request will just fail and the
app will try again or give up.
> Here's an attack: I have a server that doesn't see much usage at
> evil-nick.com. You have a non-exit Tor host. I suspect that you're
> connecting to my server. I control the DNS for evil-nick.com, so I
> whenever your Tor server asks for the address of evil-nick.com I give
> you IP1. (If it never asks, I can resolve evil-nick.com.yourhost.exit
> a lot.) When any other server asks, I give them IP2. If I see
> anybody connect to IP1, I know that it's probably your client peeking
> inside the server DNS.
My understanding of the patch is:
In the case where all DNS requests are looping back into Tor's DNSPort the
server will never get IP1 or IP2 since all it's dns requests will fail. The
client meanwhile will either get IP2 (request routed over tor network) or
will also fail and get nothing.
In the case where the system is properly configured and the server's requests
are not proxied but the client's arrive at the DNSPort, the server will
always get IP1 and the client will always get IP2. If client and server
request evil-nick.com at the exact same moment, the server will get IP1 and
the client will receive DNS_ERR_REFUSED.
> There are probably easier attacks here too.
Browse Anonymously Anywhere - http://anonymityanywhere.com
TorK - KDE Anonymity Manager - http://tork.sf.net
KlamAV - KDE Anti-Virus - http://www.klamav.net
More information about the tor-dev