Tor issueshttps://gitlab.torproject.org/tpo/core/tor/-/issues2023-02-07T10:19:20Zhttps://gitlab.torproject.org/tpo/core/tor/-/issues/21989Should we tell Exits to reject all traffic if DNS fails?2023-02-07T10:19:20ZteorShould we tell Exits to reject all traffic if DNS fails?Tor Exits with broken DNS still allow Exit traffic.
But this slows down initial connections for clients, because the Exit will refuse all DNS requests. (Clients no longer cache DNS.)
Perhaps we should make Exits refuse traffic until th...Tor Exits with broken DNS still allow Exit traffic.
But this slows down initial connections for clients, because the Exit will refuse all DNS requests. (Clients no longer cache DNS.)
Perhaps we should make Exits refuse traffic until their DNS is working?
(Unless a non-default option is set?)
This would also fix legacy/trac#21900, where a broken DNS config really does stop all Exit traffic.https://gitlab.torproject.org/tpo/core/tor/-/issues/40203Detect misbehaving OpenDNS resolvers2023-02-07T10:19:12ZAlexander Færøyahf@torproject.orgDetect misbehaving OpenDNS resolversThe network health team is doing a lot of different scanning recently, and they have found a few exit nodes using the OpenDNS resolver to look up DNS requests for Tor clients.
OpenDNS is known for doing various naughty things to DNS res...The network health team is doing a lot of different scanning recently, and they have found a few exit nodes using the OpenDNS resolver to look up DNS requests for Tor clients.
OpenDNS is known for doing various naughty things to DNS responses, such as sending people to their advertisement pages and what not.
Tor already have a subsystem for detecting some of this (NX domain hi-jacking) and to see whether some known DNS lookups doesn't resolve properly (google, yahoo, and a few others).
@arma mentioned the following way of detecting this on IRC:
```
241120 22:45:14 + armadev: ADDRMAP b187399e2708155968a8375b83042767f69f21f0: share.riseup.net = 198.252.153.229
241120 22:45:14 + armadev: ADDRMAP dadcad37de5e22e7e1f323927260155eab3689c2: share.riseup.net = 146.112.61.108
241120 22:45:14 + armadev: ADDRMAP 2f64ea527c4aa6f99e261318dd1ff127828e2525: share.riseup.net = 198.252.153.229
241120 22:45:30 + armadev: $ host 146.112.61.108
241120 22:45:30 + armadev: 108.61.112.146.in-addr.arpa domain name pointer hit-phish.opendns.com.
```https://gitlab.torproject.org/tpo/core/tor/-/issues/12389Should we warn when exit nodes are using opendns or google dns?2022-10-24T20:49:32ZNick MathewsonShould we warn when exit nodes are using opendns or google dns?Somewhat related to discussion on legacy/trac#8093 -- people are still setting up exit nodes to use OpenDNS or Google DNS. Is that really a safe idea? That makes it distressingly easy for these DNS services (or anybody watching them) t...Somewhat related to discussion on legacy/trac#8093 -- people are still setting up exit nodes to use OpenDNS or Google DNS. Is that really a safe idea? That makes it distressingly easy for these DNS services (or anybody watching them) to get timing information on user DNS requests.
Furthermore, the default OpenDNS configuration blocks some stuff. If we don't warn about OpenDNS in general, maybe we should warn when configuring an OpenDNS server in a way that hasn't disabled blocking.https://gitlab.torproject.org/tpo/core/tor/-/issues/40248DNSPort is broken on Alpine-Linux since 3.132022-09-01T21:42:50ZfredzupyDNSPort is broken on Alpine-Linux since 3.13Tor DNSPort is not sufficiently subtle.
---------------------------------------
1 - If a domain name have a 'A' record and no 'AAAA', DNSPort return NXDomain for the 'AAAA' request and the IP for 'A'
2 - If a domain name have no 'A' re...Tor DNSPort is not sufficiently subtle.
---------------------------------------
1 - If a domain name have a 'A' record and no 'AAAA', DNSPort return NXDomain for the 'AAAA' request and the IP for 'A'
2 - If a domain name have no 'A' record and a 'AAAA', DNSPort return NXDomain for the 'A' request and the IPv6 for 'AAAA'
There is a sementic problem with this binary logic. Domain exists in both 1 and 2 but there is no record for one request. So instead of returning NXDomain, it should return NODATA/NOERROR.
According to RFC8020, if there is NXDomain, there no need to search further.
https://tools.ietf.org/html/rfc8020
That's what musl-libc do now.
In musl-libc, NXDomain act as a short circuit:
musl-libc: https://git.musl-libc.org/cgit/musl/commit/src/network/lookup_name.c?id=5cf1ac2443ad0dba263559a3fe043d929e0e5c4c
« if nxdomain is seen it's assumed to apply to both queries since
that's how dns semantics work. »
This change on musl-libc make DNSPort totally unusable on Alpine-Linux and every device linking with musl-libc and targeting DNSPort.
NXDomain should be reserved for non-existent domain.
---
dig using public resolver showing status: NOERROR
```
$ dig @8.8.8.8 amazon.com in AAAA
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39934
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;amazon.com. IN AAAA
```
same dig using DNSPort resolver showing status: NXDOMAIN
```
$ dig @192.168.0.1 -p 1053 amazon.com in AAAA
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20255
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;amazon.com. IN AAAA
```https://gitlab.torproject.org/tpo/core/tor/-/issues/23113Manage DNS state better when "All nameservers have failed"2022-09-01T21:31:33ZteorManage DNS state better when "All nameservers have failed"We should downgrade this warning when it only happens for a short period of time (or a small number of requests), or when it happens in response to a malformed request.
This warning is causing operators to make sub-optimal DNS server ch...We should downgrade this warning when it only happens for a short period of time (or a small number of requests), or when it happens in response to a malformed request.
This warning is causing operators to make sub-optimal DNS server choices: for example, avoiding using a local cache in favour of remote resolvers.
Sometimes changing the local resolver makes a difference:
https://trac.torproject.org/projects/tor/ticket/1936#comment:12
Sometimes it happens in response to malformed requests:
https://trac.torproject.org/projects/tor/ticket/11600#comment:6
Sometimes it's harmless:
https://trac.torproject.org/projects/tor/ticket/11600#comment:7
Because it's followed by:
```
[notice] eventdns: Nameserver <ISP-resolver2>:53 is back up
```https://gitlab.torproject.org/tpo/core/tor/-/issues/33375Stop advertising an IPv6 exit policy when DNS is broken for IPv62022-02-28T19:41:05ZteorStop advertising an IPv6 exit policy when DNS is broken for IPv6When `dns_seems_to_be_broken_for_ipv6()`, exits should stop advertising an IPv6 exit policy.
Here's a rough design:
* when `dns_seems_to_be_broken_for_ipv6()` is first set to 1, mark the relay descriptor dirty
* when rebuilding the desc...When `dns_seems_to_be_broken_for_ipv6()`, exits should stop advertising an IPv6 exit policy.
Here's a rough design:
* when `dns_seems_to_be_broken_for_ipv6()` is first set to 1, mark the relay descriptor dirty
* when rebuilding the descriptor, check `dns_seems_to_be_broken_for_ipv6()` before including an IPv6 exit policy
* reset `dns_seems_to_be_broken_for_ipv6()` periodically, maybe every 1-3 days?https://gitlab.torproject.org/tpo/core/tor/-/issues/19853ServerDNSAllowNonRFC953Hostnames affects clients, and AllowNonRFC953Hostnames...2022-02-07T19:38:32ZteorServerDNSAllowNonRFC953Hostnames affects clients, and AllowNonRFC953Hostnames affects serversIt looks like the code and man page entry for ServerDNSAllowNonRFC953Hostnames was copied straight from AllowNonRFC953Hostnames, which is the equivalent client option.
I think this is ok as-is, because even though both options affect bo...It looks like the code and man page entry for ServerDNSAllowNonRFC953Hostnames was copied straight from AllowNonRFC953Hostnames, which is the equivalent client option.
I think this is ok as-is, because even though both options affect both client and server, tor instances typically only run as clients or servers, not both.
However, the manual page entries could be updated to clarify that the options are synonyms, and affect both clients and exits.