[tor-dev] How to integrate an external name resolver into Tor

Jeremy Rand jeremyrand at airmail.cc
Tue Aug 2 21:10:28 UTC 2016

Nick Mathewson:
> Hi, all!
> I've seen a couple of emails from people looking into new ways to do
> naming for onion services.  That's great!  Before anybody gets too
> far, I'd like to send this quick note to let you know that integrating
> stuff like this into Tor is actually easier than you think.
> Here's how you do it, using a Tor controller.  (See control-spec.txt
> for protocol documentation. Also see one of the several friendly
> libraries, like steam, that exist to interface with Tor over this
> protocol.)
> First, you set the Tor option "__LeaveStreamsUnattached".  This tells
> Tor that it shouldn't try to handle new client requests immediately,
> but it should instead let the controller take responsibility.
> In the controller, you make sure that you are watching STREAM events
> so that you find out about new streams.
> Whenever there's a new stream, you check its address.  If the address
> is one that you don't want to rewrite, you just call ATTACHSTREAM on
> it, with a circuit ID of 0. (The 0 means "Tor, you figure out how to
> attach this one.".
> Otherwise, you do whatever magic dance you do in order to find out the
> real address for the stream.
> If the lookup operation is successful, you say "REDIRECTSTREAM (stream
> ID) (new address".  And then you ATTACHSTREAM as above.
> If the lookup operation fails, you call "CLOSESTREAM (stream ID) 2".
> (The 2 means "resolve failed".
> And that's it for the Tor integration!  All you need to do now is
> figure out how the name lookup works.
> cheers,

Hi Nick,

Let's say that the name lookup operation will generate network traffic,
and therefore should be subject to stream isolation.  (This is the case
for a subset of Namecoin-based lookup methods.)

How can a Tor controller obtain the needed information to perform stream
isolation on the lookup, prior to issuing ATTACHSTREAM?  (Subject to the
constraint that if two streams would ordinarily use different Tor
circuits, then their respective name lookups should use different Tor
circuits.)  From briefly looking at control-spec.txt, it looks like this
info is only available by examining a circuit rather than a stream,
which is problematic if the name lookup needs to be done before
attaching a stream to a circuit.

It's likely that I'm just misreading the spec, but any chance you (or
anyone else) could provide some pointers here?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160802/5e3edb2d/attachment.sig>

More information about the tor-dev mailing list