Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop DNS request for ".onion" special-use domain name #196

Closed
MarkTiedemann opened this issue May 21, 2018 · 3 comments
Closed

Drop DNS request for ".onion" special-use domain name #196

MarkTiedemann opened this issue May 21, 2018 · 3 comments

Comments

@MarkTiedemann
Copy link

@MarkTiedemann MarkTiedemann commented May 21, 2018

See: https://tools.ietf.org/html/rfc7686

Name Resolution APIs and Libraries (...) MUST either respond to requests for .onion names by resolving them according to [tor-rendezvous] or by responding with NXDOMAIN.

A legacy client may inadvertently attempt to resolve a .onion name through the DNS. This causes a disclosure that the client is attempting to use Tor to reach a specific service. Malicious resolvers could be engineered to capture and record such leaks, which might have very adverse consequences for the well-being of the user. This issue is mitigated if the client's software is updated to not leak such queries or updated to support [tor-rendezvous], or if the client's DNS software is updated to drop any request to the .onion special-use domain name.

@bradh352
Copy link
Member

@bradh352 bradh352 commented Jun 23, 2018

Seems like a reasonable request, if you happen to have a patch, we'll review it. Otherwise it may take a little time for a developer to make this change.

@MarkTiedemann
Copy link
Author

@MarkTiedemann MarkTiedemann commented Jun 26, 2018

@bradh352 I have no patch yet, as well as no experience in writing C++, but I might give it a shot.

bnoordhuis added a commit to bnoordhuis/c-ares that referenced this issue Oct 22, 2018
Quoting RFC 7686:

    Name Resolution APIs and Libraries (...) MUST either respond
    to requests for .onion names by resolving them according to
    [tor-rendezvous] or by responding with NXDOMAIN.

    A legacy client may inadvertently attempt to resolve a .onion
    name through the DNS. This causes a disclosure that the client
    is attempting to use Tor to reach a specific service. Malicious
    resolvers could be engineered to capture and record such leaks,
    which might have very adverse consequences for the well-being
    of the user.

Bug: c-ares#196
bradh352 added a commit that referenced this issue Oct 23, 2018
Quoting RFC 7686:

    Name Resolution APIs and Libraries (...) MUST either respond
    to requests for .onion names by resolving them according to
    [tor-rendezvous] or by responding with NXDOMAIN.

    A legacy client may inadvertently attempt to resolve a .onion
    name through the DNS. This causes a disclosure that the client
    is attempting to use Tor to reach a specific service. Malicious
    resolvers could be engineered to capture and record such leaks,
    which might have very adverse consequences for the well-being
    of the user.

Bug: #196
Fix By: Ben Noordhuis @bnoordhuis
@bradh352
Copy link
Member

@bradh352 bradh352 commented Oct 23, 2018

fixed per #228

@bradh352 bradh352 closed this Oct 23, 2018
DronRathore added a commit to DronRathore/c-ares that referenced this issue Mar 11, 2020
…#228)

Quoting RFC 7686:

    Name Resolution APIs and Libraries (...) MUST either respond
    to requests for .onion names by resolving them according to
    [tor-rendezvous] or by responding with NXDOMAIN.

    A legacy client may inadvertently attempt to resolve a .onion
    name through the DNS. This causes a disclosure that the client
    is attempting to use Tor to reach a specific service. Malicious
    resolvers could be engineered to capture and record such leaks,
    which might have very adverse consequences for the well-being
    of the user.

Bug: c-ares#196
Fix By: Ben Noordhuis @bnoordhuis
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants