Skip to content

GitLab

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Closed (moved)
Opened by teor@teor

Tor Browser + nscd leaks Tor DNS to System Cache to System DNS Servers

From IRC #tor

nettezzz hello I would like to share with you one interesting findings that I did recently and that is big security flaw related to using the tor simply said, a lot of distributions use by default enabled nscd and nscd leaks the cached data to the system wide nameserver by refreshing its cache entries, eg: you have your browser configured to use SOCKS proxy including DNS requests going through .. these dns replies ends up in nscd and nscd periodically refreshes the entries by asking system-wide set nameservers so maybe the solution would be that TOR also check if nscd is running and on information level notices user that this might happen howto reproduce it: enable nscd (if not enabled) and from terminal with root' s shell do `tcpdump -i $your_lan_iface port 53' ... you'll see periodically that your "tor browsed" sites leaks via DNS requests to your "normal" DNS I hope that this information will be useful for somebody

whitanne_ nettezzz: is this for the latest version of tor?

nettezzz it's for all versions of tor whitanne_: probably a lot of linux users are not affected, but at least some major distros have enabled nscd by default - at least we in opensuse also in nscd manpage is not this "feature" documented

Joost nettezzz: it appears people have noticed this in the past: https://tor.stackexchange.com/questions/4350/tor-dns-cached

nettezzz indeed so I re-inveneted wheel :) Joost: I didn't find it even according to the tor ... I was seting up somewhere some SOCKS proxy and found it ... later on reproduced it with tor browser

Joost it's mentioned in some places, I see now.. https://www.reddit.com/r/TOR/comments/1jegou/tor_and_dns_leaks/cbebnin

nettezzz indeed sorry for alarming ppl then ... I thought I've discovered an americas

Joost but imo it's odd, since it seems like quite a leak nettezzz: don't be sorry! it appears that there is very little awareness of this

nettezzz but anyhow, it happens still these days whilst the solution is probably rather simple 1) put this explicitely as a mention somewhere to tor browser, 2) adding a check tfor nscd to tor browser verification checks

whitanne_ nettezzz: maybe you could file a bug report or something

nettezzz to be honest, I don't use tor and I don't even have a account to tor bugzilla ... so please fill bug for tor and I'm going to fill bug to our opensuse bugzilla that this is undocumented and probably insecure to have it by default enabled I simply reproduced this with latest tor browser because it was obvious that any other SOCKS proxy solution forwarding dns queries via proxy will be affected

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information