Tor & DNS Requests

Ringo Kamens 2600denver at
Fri May 5 00:29:25 UTC 2006

Thanks for the explanation of the DNS requests. Perhaps this could be put
in a sort of "technical details" section on the wiki.

On 5/4/06, Joseph B Kowalski <jbk at> wrote:
> Hash: SHA1
> On Thu, 04 May 2006 15:41:34 -0700 Roger Dingledine <arma at>
> wrote:
> >On Thu, May 04, 2006 at 02:14:05PM -0700, Joseph B Kowalski wrote:
> >> 1) It is clear that the Tor network only handles TCP traffic and
> >> not UDP, which is, of course, what standard DNS lookup requests
> >> use (UDP). So, when directing DNS lookup requests into the Tor
> >> network (whether by setting the network.proxy.socks_remote_dns
> >> flag in Firefox or using Privoxy or whatever), is the application
> >> or proxy (Firefox or Privoxy, in this example) handing the DNS
> >> lookup request to the Tor client using TCP already, or does the
> >> Tor client translate the UDP DNS lookup request into a TCP DNS
> >> lookup request before passing to the first OR (entry node)?
> >
> >Socks4a and socks5-with-remote-lookup actually hands the fqdn (aka
> >hostname) to the socks proxy. Tor in turn hands it to the exit
> >node. The exit node does a DNS resolve however it sees fit. Then
> >in the response cell inside the Tor network (either "connected" or
> >"end"), the exit node includes the IP address that it found for
> >that hostname. This way the Tor client can cache it for next time,
> >saving future exit nodes from needing to resolve it, and also
> >allowing the client to compare it to exit policies (which are
> >written in terms of IP addresses, not in terms of hostnames,
> >see faq for why).
> >
> >> 2) Once the DNS lookup request reaches the exit node, does the
> >> exit node perform a standard UDP DNS lookup using it's
> >> configured nameservers, or does it do it using a TCP DNS
> >> lookup?
> >
> >Standard DNS lookup, however the local system is configured to do
> >it.
> >
> >> 3) Is it necessary to allow traffic to port 53 in the exit
> >> policy of an OR in order for that OR to perform DNS lookups
> >> on the behalf of client requests?
> >
> >No. All Tor nodes, including nodes with an exit policy of reject
> >*:*, are willing to do DNS resolves for people. Of course, clients
> >will try to pick nodes that would allow their connection to exit,
> >so they will tend to avoid using the reject *:* ones -- but when
> >using our extension to socks to do dns resolves directly (see
> > the Tor
> >client is fine picking a reject-all node, since no traffic will
> >actually be exiting.
> >
> >> I know that common sense appears to suggest that this is so,
> >> but I couldn't find anything in the documentation stating if
> >> DNS lookups are just something all exit nodes handle
> >> automatically and by default, or if only exit nodes configured
> >> to allow outbound traffic to port 53 allow them.
> >
> >Can you suggest some place in the documentation that you would
> >expect to find these answers? It feels like we already have too
> >many docs, but obviously there's lots more to say too.
> >
> >Hope that helps,
> >--Roger
> Hi Roger,
> Your reply is very clear and very helpful. Thank you for taking
> the time to compose it.
> You are right that there is a lot of documentation. For what it's
> worth, I feel that it is generally very helpful and quite
> comprehensive. This may be the first series of questions on Tor
> that I havn't been able to find answers to myself, either in the
> documentation or in previous mailing-list posts. I know I could
> have looked through the source to find the answers to my
> questions, but figured asking would be a bit easier.
> If I were to suggest a place in the documentation to cover this
> area, I think that a good place might possibly be in the
> "Tor Technical FAQ Wiki"
> (,
> possibly in section 4 (Running a Tor client), adding a new FAQ
> right after question number 17. It might be titled "How does
> Tor handle DNS lookup requests?".
> Of course, what is intuitive for me may not be for others, and
> you could easily make things quite complex by trying to decide
> what pieces of the pertinent information apply to clients, what
> pieces apply to server operators, making appropriate entries in
> the respective sections, etc. Such is part of the challenge in
> clearly documenting something very technical, I suppose.
> Once again, thank you for your answers, and a big thank you to
> you and everyone else who has put so much work into making Tor
> work.
> Best regards,
> Joe Kowalski
> PGP Key ID: 0xA96A2EE0
> Note: This signature can be verified at
> Version: Hush 2.5
> wkYEARECAAYFAkRamUwACgkQQ4RaO6lqLuA86wCgsLND+dX1YxjWHIvNCtqkp70iYFgA
> oLUwIP1nwFsXR4ZdGeYSJfdhCR1b
> =CUDn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the tor-talk mailing list