Tor Browser DNS security: hosts file bypassed when "Proxy DNS when using SOCKS v5" is enabled
This is not a bug, rather an unexpected behavior, which might expose the user to more or less severe security concerns.
host table
Operating systems provide a primitive mechanism, called "host table", which is a static lookup table for hostnames, the ancestor of DNS (bind
software). Through a configuration file (/etc/hosts
on Linux, %systemroot%\system32\drivers\etc\hosts
on Windows), a system administrator is able to manually set associations of (hostname ; IP_address).
When a user performs a DNS lookup ("I give you a hostname, give me its IP address."), by default, the following procedure occurs (this behavior can be changed on Linux by editing /etc/nsswitch.conf
file):
- look for hostname in host table
- is it here?
- yes: return IP address set by administrator
- no: perform a "standard" DNS lookup
The host table can be used for security purposes. For instance, if example.org
is a domain known for its dangerous behavior (user tracking for instance), a system administrator can block the malicious website by using this/etc/hosts
file:
127.0.0.1 example.org # both IPv4
::1 example.org # and IPv6 must be set!
The host table is widely used by programmers and power users to easily block websites, without having to configure heavier local DNS or firewall.
For more information, please refer to Wikipedia - Hosts (file)
Tor Browser option "Proxy DNS"
Tor Browser provides the option:
"Advanced" → "Network" → "Settings" → "Proxy DNS when using SOCKS v5"
which is equivalent to the "about:config
" option:
"network.proxy.socks_remote_dns
"
By default, the value is "true
" (as I think it should be).
Expected behavior
When typing a hostname (for instance example.org
) in the location bar and then pressing the "Go" button (or the "enter" key), Tor Browser will look up for the IP address of example.org
.
What is to be expected: the procedure as explained above with the added value of Tor Browser, which is performing the DNS lookup through Tor:
- look for hostname in host table
- is it here?
- yes: return IP address set by administrator
- no: perform a "standard" DNS lookup through Tor
Actual behavior
What I got with "Tor Browser 7.0.4 (based on Mozilla Firefox 52.3.0) (64-bit)":
- perform a "standard" DNS lookup through Tor
The host table is completely bypassed … Users are exposed to malicious websites.
Actual behavior with "false"
If I set "network.proxy.socks_remote_dns
" to "false
" and reboot Tor Browser, then I got the procedure as first explained:
- look for hostname in host table
- is it here?
- yes: return IP address set by administrator
- no: perform a "standard" DNS lookup (not through Tor as asked and expected)
This proves that Tor Browser is able to look up in the host table! However, it is able to do it only when not using Tor for DNS.
Conclusion
I agree that, blocking a website by its hostname is not completely secure, as a website can own several hostnames. However, it is:
- a low-cost high-benefit (partial) solution
- widely used by advanced users (just search for "hosts file" in your search engine)
- a protection against potentially-severely-malicious-website (containing malwares or spywares)
- a configure-once-works-for-every-browsers solution
Therefore, I choose a "Major" severity for this ticket.
Trac:
Username: lux+tor@troulite.fr