torify and dns via nsswitch - PATCH

Wesley W. Terpstra wesley at terpstra.ca
Wed Feb 17 14:50:07 UTC 2010 

I'm not certain who maintains the torify tsocks wrapper, so apologies
if this is misdirected.

The use of torify with programs like wget is quite nice. However, it
leaks dns requests. One approach I hacked together is to create an
nsswitch.conf compatible module that performs DNS lookups using Tor
whenever an environment variable TOR_NSS is set. This way the torify
wrapper just sets the TOR_NSS and tsocks environement variables and
things work (TM).

I understand that tsocks can redirect dns requests to tcp and then
redirect these out to Tor. This approach suffers from a few problems
AFAICS:
1. You need a list of DNS servers that support open recursive requests
OR you need to perform the entire lookup starting from route servers
over Tor (ie: very slow)
2. Tor doesn't see the DNS lookup and so gives warnings about dns leakage
3. Tor doesn't see the DNS lookup so the caching + new identity stuff
doesn't work
4. It's inappropriate to do this for any application other that Tor,
and so isn't included in the default debian build of tsocks.

Using my nsswitch module it is as though every time gethostbyname is
run, tor-resolve gets called. This means:
1. DNS exits from a Tor node which can use it's local DNS -> faster
2. Tor has full control over the DNS cache / etc

There is a downside: installing the module into nsswitch.conf means
that every program that uses gethostbyname will need to load
libtor_nss.so.2 (though they won't use it). However, they already need
to load 4+ such libraries on a typical debian system and
libtor_nss.so.2 is especially small.

How it works: nsswitch.conf describes what steps to take when
resolving a host name. By putting a Tor specific module before dns, we
can capture any calls to gethostbyname that would otherwise leak. The
module provides gethostbyname by using the SOCKS5 RESOLVE capability
of the Tor daemon.

Issues: I didn't implement reverse DNS,  but this would be easy to add.

I hereby place this code in the public domain. If it's useful to the
Tor project, do with it whatever you like. I'm open to suggestions
about ways to improve it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nss-tor-0.1.tar.gz
Type: application/x-gzip
Size: 2021 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20100217/ab43da33/attachment.bin>

More information about the tor-dev mailing list