proxychains DNS leaks stopped

Scott Bennett bennett at cs.niu.edu
Tue Jan 6 08:16:59 UTC 2009 

     On Tue, 6 Jan 2009 02:03:35 -0600 (CST) I wrote:
>     On Mon, 5 Jan 2009 23:34:56 -0800 "Kyle Williams"
><kyle.kwilliams at gmail.com> top-posted:
>>Interesting...
>>I just did a test.  As root I watched udp traffic using "tcpdump -i eth0
>>-net -s 65535 udp and host 192.168.XX.XX"
>>and didn't see any DNS request when I used "proxychains firefox
>>http://check.torproject.org"
>
>     That's right.  You won't see it as UDP because the proxyresolv script
>uses the +tcp option on the dig(1) command.
>>
>>I did see this in the terminal that I launched proxychains from.
>>"
>>build at Janus-Dev-VM:~$ proxychains firefox http://check.torproject.org
>>ProxyChains-3.1 (http://proxychains.sf.net)
>>|DNS-request| check.torproject.org
>>|S-chain|-<>-127.0.0.1:9050-<><>-4.2.2.2:53-<><>-OK
>>|DNS-response| check.torproject.org is 209.237.247.84
>>|S-chain|-<>-127.0.0.1:9050-<><>-209.237.247.84:80-<><>-OK
>>"
>>
>>Also worth mentioning, at the end of the default proxychains.conf file is:
>>"
>># defaults set to "tor"
>>socks5     127.0.0.1 9050
>>"
>
>     The one that got installed on my system said,
>
># defaults set to "tor"
>socks4         127.0.0.1 9050
>
>which I changed to the way you have it.
>>
>>Perhaps the author did have Tor in mind?
>>When I ran firefox without proxychains, I then say DNS request with tcpdump,
>>as expected.
>>
>>Hrm....I think it's working.  If I'm wrong, could someone point out the flaw
>>in my testing method?
>
>     See above.  Take a good look at the proxyresolv script that is used by
>proxychains to resolve names to addresses.
>
     Hmmm.  After thinking about that +tcp option on the dig command, I'm
forced to admit I missed the implication of my having to run tor-resolve
under env(1) to get rid of the shared library.  It could be that the queries
from the dig were actually getting routed through tor (or any other chain of
proxies).  However, the queries were all being sent to 4.2.2.2, which has a
PTR RR to vnsc-bak.sys.gtei.net.  So maybe the queries weren't really being
leaked, but they were all going to the same name server.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

More information about the tor-talk mailing list