[tor-talk] DNSSEC validation over Tor with unbound&socat (Linux alpha howto)
Ondrej Mikle
ondrej.mikle at gmail.com
Sat Jan 14 06:44:14 UTC 2012
Hi,
after a reviewer wrote on addons.mozilla.org that DNSSEC Validator add-on leaks
DNS (because it does direct queries), I've been looking how to hack around SOCKS
and Tor resolver deficiencies.
I've tried ttdnsd first, but it did not get along well with unbound (unbound was
complaining about bad packets). After trying couple other tunneling tools,
finally socat did the trick.
Here's the howto:
https://labs.nic.cz/page/993/dnssec-validation-over-tor--linux-/
Unfortunately, the original objective of fixing DNSSEC Validator add-on to not
leak DNS queries did not 100% succeed. Firefox has
"@mozilla.org/network/dns-service;1" API which will leak DNS even if
"network.proxy.socks_remote_dns" is set to true.
If I understand it correctly, it's because in SOCKS5 protocol one can specify
FQDN of host to connect to, but can't perform the "simple DNS query" itself.
Thus there is no way to fix the FF API (short of setting torified resolver in
/etc/resolv.conf or some LD_PRELOAD hacks to use torified resolver).
DNSSEC Validator add-on needs the mentioned dns-service FF API to check if IPs
seen by FF are the same as IPs in signed/validated response.
I've noticed FireFTP and FireSSH devs fixed some (similar?) DNS-leak issues.
I've checked their git repos in case I could use their fixes, but the fixes seem
not to have been pushed out publicly yet.
So if anyone has an idea how to work around the dns-service API, that would be
great.
Ondrej
More information about the tor-talk
mailing list