Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Tor Tor
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 325
    • Issues 325
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 30
    • Merge requests 30
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • The Tor Project
  • Core
  • TorTor
  • Issues
  • #619
Closed
Open
Issue created Mar 08, 2008 by Roger Dingledine@armaReporter

exit-policy-reject-star relays should refuse dns?

lodger points out that non-exit relays could reject dns and reverse dns attempts. (Currently clients try not to ask them any questions, but the relays don't enforce it. Non-exit relays might be surprised at the dns requests they are forced to do. "also permit reverse resolve for private addresses, which could lead to leaks of names, in normal circumstances, only available locally."

Here's his patch:

--- dns.c Tue Feb 26 19:56:28 2008 +++ dns.c Sat Mar 8 12:11:34 2008 @@ -550,7 +550,12 @@ char *hostname = NULL; is_resolve = exitconn->_base.purpose == EXIT_PURPOSE_RESOLVE;

  • r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname);
  • routerinfo_t *me = router_get_my_routerinfo();
  • if (is_resolve && me &&
  •  policy_is_reject_star(me->exit_policy)) /* non-exit */
  • r = -1;
  • else
  • r = dns_resolve_impl(exitconn, is_resolve, oncirc, &hostname); switch (r) { case 1: /* We got an answer without a lookup -- either the answer was @@ -659,9 +664,12 @@ * .in-addr.arpa address but this isn't a resolve request, kill the * connection. */
  • if ((r = parse_inaddr_arpa_address(exitconn->_base.address, NULL)) != 0) {
  • if (r == 1)
  • if ((r = parse_inaddr_arpa_address(exitconn->_base.address, &in)) != 0) {

  • if (r == 1) { is_reverse = 1;

  •     if (is_internal_IP(ntohl(in.s_addr), 0)) /* internal address */
  •       return -1;
  • }

    if (!is_reverse || !is_resolve) { if (!is_reverse)

[Automatically added by flyspray2trac: Operating System: All]

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking