Should dnscrypt use socks4a to connect to Tor proxy?

[syphyr]

Tor now shows a warning each time dnscrypt-proxy resolves a DNS address:

Tor[31932]: Your application (using socks5 to port 443) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider using Socks4A (e.g. via privoxy or socat) instead. For more information, please see https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks. [1 similar message(s) suppressed in last 300 seconds]

We are currently using this in dnscrypt-proxy's toml:
proxy = 'socks5://dnscrypt:dnscrypt@127.0.0.1:9050'

Should it be changed to use socks4a instead?

[daveshenal]

Not necessarily... Tor emits this warning whenever it receives an IP address rather than a hostname over the SOCKS connection. SOCKS5 already supports remote hostname resolution, so switching to SOCKS4a isn't automatically the fix.

Whether it's a real leak depends on how dnscrypt-proxy got the resolver address in the first place. DNS stamps can embed the resolver's IP directly (the addr field). If that's the case for your configured servers, dnscrypt proxy hands Tor an IP it already had, not one it resolved locally, and the warning is benign. If a server is instead configured via hostname (or a stamp with an empty addr, which requires resolving the hostname separately), then yes, that resolution is happening before the SOCKS connection, and the warning is flagging something real.
So check whether the resolvers in your server_names use stamps with an IP in addr, or rely on a hostname lookup. That tells you which case you are in

[syphyr]

I'm using this for server_names (basically the default):
server_names = ['scaleway-fr', 'google', 'yandex', 'cloudflare', 'onion-cloudflare']

This is the recent change that makes this warning displayed each time dnscrypt-proxy resolved an address (which now floods the syslog):
https://gitlab.com/torproject/tor/-/commit/82fd1618e3dac883cf22b632abb046efa91c0fa9

[syphyr]

It looks like they are all using stamps when looking at public-resolvers.md

[daveshenal]

That explains it. Those server_names are the default public resolvers from dnscrypt-proxy, and they use DNS stamps that include the resolver address (addr) directly.

So in this case dnscrypt-proxy is not doing a dns lookup to find those resolver IPs and then sending the result to Tor. It already has the IP from the stamp and is asking Tor to connect to that IP. The Tor warning is therefore the "application gave me an IP instead of a hostname" warning, not evidence of a DNS leak.

Changing socks5://... to socks4a://... would not change this behavior, because the issue is not the SOCKS version.. it is that there is no hostname being sent for Tor to resolve.

The syslog flooding also likely related to the Tor logging change you linked, rather than a change in dnscrypt-proxy behavior. The underlying connection pattern is the same, Tor is just reporting it more frequently now.

[syphyr]

Since this is not a legitimate leak, I just changed Tor to only show this log message in debug mode.

diff --git a/src/core/proto/proto_socks.c b/src/core/proto/proto_socks.c
index 08c1793456..0e230adbcd 100644
--- a/src/core/proto/proto_socks.c
+++ b/src/core/proto/proto_socks.c
@@ -65,7 +65,7 @@ log_unsafe_socks_warning(int socks_protocol, const char *address,
   /* note the subtle "||" here: either warn every time, or else
    * warn in a rate-limited way otherwise. */
   if (warn_every_time || (m = rate_limit_log(&socks_ratelim, approx_time()))) {
-    log_warn(LD_APP,
+    log_debug(LD_APP,
              "Your application (using socks%d to port %d) is giving "
              "Tor only an IP address. Applications that do DNS resolves "
              "themselves may leak information. Consider using Socks4A "

[krotname]

For the dnscrypt-proxy config specifically, I would not change that line to socks4a.

The sample config documents Tor via SOCKS5:

proxy = 'socks5://dnscrypt:dnscrypt@127.0.0.1:9050'

and the current code parses proxy with golang.org/x/net/proxy.FromURL, whose built-in schemes are socks5 and socks5h, not socks4a. So proxy = 'socks4a://...' is likely to fail unless dnscrypt-proxy adds a custom dialer for it.

The Tor warning is about the endpoint dnscrypt-proxy asks Tor to connect to. In the normal TCP path dnscrypt-proxy dials the resolver address it already has, so Tor sees an IP endpoint. That is not the same thing as leaking the DNS query names; those are still inside the encrypted DNSCrypt/DoH connection.

If the goal is to avoid direct resolver visibility, I would use dnscrypt-proxy's anonymized DNS relay routing instead of trying to switch the SOCKS version. Also keep force_tcp = true when routing through Tor, as the sample config notes.