Tor & DNS Requests

Joseph B Kowalski jbk at
Fri May 5 00:16:12 UTC 2006

Hash: SHA1

On Thu, 04 May 2006 15:41:34 -0700 Roger Dingledine <arma at>
>On Thu, May 04, 2006 at 02:14:05PM -0700, Joseph B Kowalski wrote:
>> 1) It is clear that the Tor network only handles TCP traffic and
>> not UDP, which is, of course, what standard DNS lookup requests
>> use (UDP). So, when directing DNS lookup requests into the Tor
>> network (whether by setting the network.proxy.socks_remote_dns
>> flag in Firefox or using Privoxy or whatever), is the application
>> or proxy (Firefox or Privoxy, in this example) handing the DNS
>> lookup request to the Tor client using TCP already, or does the
>> Tor client translate the UDP DNS lookup request into a TCP DNS
>> lookup request before passing to the first OR (entry node)?
>Socks4a and socks5-with-remote-lookup actually hands the fqdn (aka
>hostname) to the socks proxy. Tor in turn hands it to the exit
>node. The exit node does a DNS resolve however it sees fit. Then
>in the response cell inside the Tor network (either "connected" or
>"end"), the exit node includes the IP address that it found for
>that hostname. This way the Tor client can cache it for next time,
>saving future exit nodes from needing to resolve it, and also
>allowing the client to compare it to exit policies (which are
>written in terms of IP addresses, not in terms of hostnames,
>see faq for why).
>> 2) Once the DNS lookup request reaches the exit node, does the
>> exit node perform a standard UDP DNS lookup using it's
>> configured nameservers, or does it do it using a TCP DNS
>> lookup?
>Standard DNS lookup, however the local system is configured to do
>> 3) Is it necessary to allow traffic to port 53 in the exit
>> policy of an OR in order for that OR to perform DNS lookups
>> on the behalf of client requests?
>No. All Tor nodes, including nodes with an exit policy of reject
>*:*, are willing to do DNS resolves for people. Of course, clients
>will try to pick nodes that would allow their connection to exit,
>so they will tend to avoid using the reject *:* ones -- but when
>using our extension to socks to do dns resolves directly (see
> the Tor
>client is fine picking a reject-all node, since no traffic will
>actually be exiting.
>> I know that common sense appears to suggest that this is so,
>> but I couldn't find anything in the documentation stating if
>> DNS lookups are just something all exit nodes handle
>> automatically and by default, or if only exit nodes configured
>> to allow outbound traffic to port 53 allow them.
>Can you suggest some place in the documentation that you would
>expect to find these answers? It feels like we already have too
>many docs, but obviously there's lots more to say too.
>Hope that helps,

Hi Roger,

Your reply is very clear and very helpful. Thank you for taking
the time to compose it.

You are right that there is a lot of documentation. For what it's
worth, I feel that it is generally very helpful and quite
comprehensive. This may be the first series of questions on Tor
that I havn't been able to find answers to myself, either in the
documentation or in previous mailing-list posts. I know I could
have looked through the source to find the answers to my
questions, but figured asking would be a bit easier.

If I were to suggest a place in the documentation to cover this
area, I think that a good place might possibly be in the
"Tor Technical FAQ Wiki"
possibly in section 4 (Running a Tor client), adding a new FAQ
right after question number 17. It might be titled "How does
Tor handle DNS lookup requests?".

Of course, what is intuitive for me may not be for others, and
you could easily make things quite complex by trying to decide
what pieces of the pertinent information apply to clients, what
pieces apply to server operators, making appropriate entries in
the respective sections, etc. Such is part of the challenge in
clearly documenting something very technical, I suppose.

Once again, thank you for your answers, and a big thank you to
you and everyone else who has put so much work into making Tor

Best regards,

Joe Kowalski
PGP Key ID: 0xA96A2EE0

Note: This signature can be verified at
Version: Hush 2.5


More information about the tor-talk mailing list