Squid Proxy Causes Unavoidable DNS Leaks
ADB
firefox-gen at walala.org
Tue Sep 13 22:49:16 UTC 2005
Sounds complicated. If it can be done effectively, I'd put it on the
wiki just for the heck of it, but would NOT recommend doing any of this
stuff as standard configuration policy (it's just not worth the time,
effort, and risks if you screw up).
~ADB
Jack Cummings wrote:
>On Mon, Sep 12, 2005 at 11:53:04AM -0400, u-281 at vif.com wrote:
>
>
>
>>Squid can be compiled with the option --disable-internal-dns, and configured to
>>use an external dns server (dnsserver). I think replacing the line
>>gethostbyname in dnsserver.c by something like spawnv("/usr/bin/tor-resolve",
>>buf, localhost:9050, NULL); could do it to use tor network for dns requests.
>>Then one could grab the result from tor-resolve and send it back to dnsserver.
>>I'm not that fluent in C to accomplish this, but it seems to be a viable
>>solution.
>>
>>
>
>I made a sh wrapper around tor-resolve that outputs something that looks like
>the output of dnsserver:
>
>--
>[jack at needle:jack]$ cat /opt/pkg/squid/libexec/tor-dnsserver
>#!/bin/sh
>while read addr
>do
> r=$(tor-resolve $addr)
> echo "\$addr 0 $r"
>done
>--
>
>And in the squid.conf file:
>
>--
>...
>cache_dns_program /opt/pkg/squid/libexec/tor-dnsserver
>#cache_dns_program /opt/pkg/squid/libexec/dnsserver
>dns_children 5
>...
>--
>
>as a first pass, it works, although it does not properly handle failed DNS
>requests.
>
>Cheers,
>
>--Jack
>
>--
>Jack (John) Cummings http://mudshark.org/
>PGP fingerprint: 0774 D073 E386 B70B 6B16 2D2B 1DD8 F8B0 CCF0 FAEE
>Now playing on Prime: Bombtrack -- Rage Against the Machine
>Now playing on Remedial: Recovering the Satellites -- Counting Crows
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20050913/e0122c1c/attachment.htm>
More information about the tor-talk
mailing list