GitLab

When tor clients resolve a domain name, exit relays are supposed to return the DNS TTL as part of their response.

At the moment, it looks like exit relays always return TTL 0 for both A and AAAA records. Only PTR records seem to come with a TTL > 0. The relevant variables on the exit side are ttl_ipv4 and ttl_ipv6 in src/or/dns_structs.h. The variables should be initialised in the function cached_resolve_add_answer. The variable ttl_hostname for PTR records is assigned ttl:

resolve->ttl_hostname = ttl;

The variables ttl_ipv4 and ttl_ipv6, however, are not. Therefore, exit relays always send back TTL 60 to clients (60 instead of 0 because the function dns_clip_ttl turns it into MIN_DNS_TTL, i.e., 60).

Commit 2889bd264 added the code to tor. It added ttl_hostname, ttl_ipv4 and ttl_ipv6, but never initialised the latter two. I wonder if this is an oversight? Commit c660a0f6 talks about potential attacks, but I don't think that explains this issue.