Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
T
Tor
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 1,065
    • Issues 1,065
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 17
    • Merge Requests 17
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • The Tor Project
  • Core
  • Tor
  • Issues
  • #40248

Closed
Open
Opened Jan 18, 2021 by fredzupy@fredzupy

DNSPort is broken on Alpine-Linux since 3.13

Tor DNSPort is not sufficiently subtle.

1 - If a domain name have a 'A' record and no 'AAAA', DNSPort return NXDomain for the 'AAAA' request and the IP for 'A'

2 - If a domain name have no 'A' record and a 'AAAA', DNSPort return NXDomain for the 'A' request and the IPv6 for 'AAAA'

There is a sementic problem with this binary logic. Domain exists in both 1 and 2 but there is no record for one request. So instead of returning NXDomain, it should return NODATA/NOERROR.

According to RFC8020, if there is NXDomain, there no need to search further. https://tools.ietf.org/html/rfc8020

That's what musl-libc do now.

In musl-libc, NXDomain act as a short circuit: musl-libc: https://git.musl-libc.org/cgit/musl/commit/src/network/lookup_name.c?id=5cf1ac2443ad0dba263559a3fe043d929e0e5c4c

« if nxdomain is seen it's assumed to apply to both queries since that's how dns semantics work. »

This change on musl-libc make DNSPort totally unusable on Alpine-Linux and every device linking with musl-libc and targeting DNSPort.

NXDomain should be reserved for non-existent domain.


dig using public resolver showing status: NOERROR

$ dig @8.8.8.8 amazon.com in AAAA
;; Got answer:                      
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39934
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;amazon.com.                    IN      AAAA

same dig using DNSPort resolver showing status: NXDOMAIN

$ dig @192.168.0.1 -p 1053 amazon.com in AAAA       
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20255
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;amazon.com.                    IN      AAAA
Edited Jan 18, 2021 by fredzupy
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: tpo/core/tor#40248