Tor & DNS Requests

Roger Dingledine arma at
Thu May 4 22:41:34 UTC 2006

On Thu, May 04, 2006 at 02:14:05PM -0700, Joseph B Kowalski wrote:
> 1) It is clear that the Tor network only handles TCP traffic and
> not UDP, which is, of course, what standard DNS lookup requests use
> (UDP). So, when directing DNS lookup requests into the Tor network
> (whether by setting the network.proxy.socks_remote_dns flag in
> Firefox or using Privoxy or whatever), is the application or proxy
> (Firefox or Privoxy, in this example) handing the DNS lookup
> request to the Tor client using TCP already, or does the Tor client
> translate the UDP DNS lookup request into a TCP DNS lookup request
> before passing to the first OR (entry node)?

Socks4a and socks5-with-remote-lookup actually hands the fqdn (aka
hostname) to the socks proxy. Tor in turn hands it to the exit node.
The exit node does a DNS resolve however it sees fit. Then in the response
cell inside the Tor network (either "connected" or "end"), the exit node
includes the IP address that it found for that hostname. This way the Tor
client can cache it for next time, saving future exit nodes from needing
to resolve it, and also allowing the client to compare it to exit policies
(which are written in terms of IP addresses, not in terms of hostnames,
see faq for why).

> 2) Once the DNS lookup request reaches the exit node, does the exit
> node perform a standard UDP DNS lookup using it's configured
> nameservers, or does it do it using a TCP DNS lookup?

Standard DNS lookup, however the local system is configured to do it.

> 3) Is it necessary to allow traffic to port 53 in the exit policy
> of an OR in order for that OR to perform DNS lookups on the behalf
> of client requests?

No. All Tor nodes, including nodes with an exit policy of reject
*:*, are willing to do DNS resolves for people. Of course, clients
will try to pick nodes that would allow their connection to exit,
so they will tend to avoid using the reject *:* ones -- but when
using our extension to socks to do dns resolves directly (see the Tor client is
fine picking a reject-all node, since no traffic will actually be exiting.

> I know that common sense appears to suggest
> that this is so, but I couldn't find anything in the documentation
> stating if DNS lookups are just something all exit nodes handle
> automatically and by default, or if only exit nodes configured to
> allow outbound traffic to port 53 allow them.

Can you suggest some place in the documentation that you would expect
to find these answers? It feels like we already have too many docs,
but obviously there's lots more to say too.

Hope that helps,

More information about the tor-talk mailing list