[tor-relays] Reminder: don't run transparent proxies at exits

Drake Wilson drake at dasyatidae.net
Sat Jan 10 02:12:20 UTC 2015


eric gisse wrote:
> Why? People say 'DO NOT MESS WITH TRAFFIC' but in the same breath they
> say 'BUT USE A CACHING DNS RESOLVER'.

Because the interface level at which exit traffic proper occurs is TCP,
and the interface contract for the client is that the TCP stream will be
direct to the intended destination.  The interface level at which
Tor-traversing DNS requests occur is DNS, and the interface contract for
the client is that the DNS request will be resolved in some way that
reflects the consensus public DNS on the Internet.  Using a DNS cache is
consistent with being expected to terminate DNS.  Using an HTTP cache is
not consistent with being expected to terminate TCP.  Reblocking at the
TCP level presumably happens, for instance, and is not considered "messing
with traffic" because it's not specified that Tor passes arbitrary IP
packets, only TCP (and I'm not sure it even requires _full_ TCP other than
the bidirectional octet streams; I forget whether the urgent marker is
passed through, for instance).

So it's not inconsistent to hear those for exit operators WRT Tor's design.
If you think the design is flawed, that's a separate matter.

   ---> Drake Wilson



More information about the tor-relays mailing list