[tor-talk] unbound, ttdnsd and DNSPort config
Robert Ransom
rransom.8774 at gmail.com
Thu Jun 9 08:02:00 UTC 2011
On Thu, 09 Jun 2011 02:00:23 +0200
intrigeri <intrigeri at boum.org> wrote:
> Hi,
>
> Anders Sundman wrote (06 Jun 2011 14:24:12 GMT) :
> > Used individually, the addr directives work fine and resolve using
> > their respective mechanism. Used together, it looks like ttdnsd
> > never gets a chance after tor has failed (e.g. when resolving a SRV
> > or MX record).
>
> > Any ideas?
>
> I've just had a look, by attempting to implement the same in Tails
> (i.e. query first the Tor resolver, and fallback to ttdnsd in case the
> former is not able to answer the query) as we planned to do for quite
> some time. I've seen the same results as you have, using the DNS
> frontend caching proxy Tails already ships (pdnsd) instead of unbound.
>
> A few dig commands learned me that the Tor resolver sends an empty
> reply (status: NOERROR, QUERY: 1, ANSWER: 0) rather than an error when
> it does not support the type of the query (e.g. MX). The obvious
> consequence of it is: the caching frontend DNS proxy (be it unbound,
> pdnsd or whatever) has thus no way to know it should fallback to
> ttdnsd in such a case, and it actually never does so, which confirms
> what you've observed in the first place.
>
> => In the current state of the Tor DNS resolver, we're forced to use
> ttdnsd by default, and only use the Tor resolver for .onion/.exit...
> unless I missed something.
>
> So I'm curious what the rationale for the "empty reply" behavior is.
> Any ideas?
This looks like a bug. Please open a Trac ticket for it.
Robert Ransom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110609/ba6d21c9/attachment.pgp>
More information about the tor-talk
mailing list