Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop DNS request for ".onion" special-use domain name #196

Closed
MarkTiedemann opened this issue May 21, 2018 · 3 comments
Closed

Drop DNS request for ".onion" special-use domain name #196

MarkTiedemann opened this issue May 21, 2018 · 3 comments

Comments

@MarkTiedemann
Copy link

See: https://tools.ietf.org/html/rfc7686

Name Resolution APIs and Libraries (...) MUST either respond to requests for .onion names by resolving them according to [tor-rendezvous] or by responding with NXDOMAIN.

A legacy client may inadvertently attempt to resolve a .onion name through the DNS. This causes a disclosure that the client is attempting to use Tor to reach a specific service. Malicious resolvers could be engineered to capture and record such leaks, which might have very adverse consequences for the well-being of the user. This issue is mitigated if the client's software is updated to not leak such queries or updated to support [tor-rendezvous], or if the client's DNS software is updated to drop any request to the .onion special-use domain name.

@bradh352
Copy link
Member

Seems like a reasonable request, if you happen to have a patch, we'll review it. Otherwise it may take a little time for a developer to make this change.

@MarkTiedemann
Copy link
Author

@bradh352 I have no patch yet, as well as no experience in writing C++, but I might give it a shot.

bradh352 pushed a commit that referenced this issue Oct 23, 2018
Quoting RFC 7686:

    Name Resolution APIs and Libraries (...) MUST either respond
    to requests for .onion names by resolving them according to
    [tor-rendezvous] or by responding with NXDOMAIN.

    A legacy client may inadvertently attempt to resolve a .onion
    name through the DNS. This causes a disclosure that the client
    is attempting to use Tor to reach a specific service. Malicious
    resolvers could be engineered to capture and record such leaks,
    which might have very adverse consequences for the well-being
    of the user.

Bug: #196
Fix By: Ben Noordhuis @bnoordhuis
@bradh352
Copy link
Member

fixed per #228

DronRathore pushed a commit to DronRathore/c-ares that referenced this issue Mar 11, 2020
…#228)

Quoting RFC 7686:

    Name Resolution APIs and Libraries (...) MUST either respond
    to requests for .onion names by resolving them according to
    [tor-rendezvous] or by responding with NXDOMAIN.

    A legacy client may inadvertently attempt to resolve a .onion
    name through the DNS. This causes a disclosure that the client
    is attempting to use Tor to reach a specific service. Malicious
    resolvers could be engineered to capture and record such leaks,
    which might have very adverse consequences for the well-being
    of the user.

Bug: c-ares#196
Fix By: Ben Noordhuis @bnoordhuis
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants