New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop DNS request for ".onion" special-use domain name #196

Closed
MarkTiedemann opened this Issue May 21, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@MarkTiedemann

MarkTiedemann commented May 21, 2018

See: https://tools.ietf.org/html/rfc7686

Name Resolution APIs and Libraries (...) MUST either respond to requests for .onion names by resolving them according to [tor-rendezvous] or by responding with NXDOMAIN.

A legacy client may inadvertently attempt to resolve a .onion name through the DNS. This causes a disclosure that the client is attempting to use Tor to reach a specific service. Malicious resolvers could be engineered to capture and record such leaks, which might have very adverse consequences for the well-being of the user. This issue is mitigated if the client's software is updated to not leak such queries or updated to support [tor-rendezvous], or if the client's DNS software is updated to drop any request to the .onion special-use domain name.

@bradh352

This comment has been minimized.

Member

bradh352 commented Jun 23, 2018

Seems like a reasonable request, if you happen to have a patch, we'll review it. Otherwise it may take a little time for a developer to make this change.

@MarkTiedemann

This comment has been minimized.

MarkTiedemann commented Jun 26, 2018

@bradh352 I have no patch yet, as well as no experience in writing C++, but I might give it a shot.

bnoordhuis added a commit to bnoordhuis/c-ares that referenced this issue Oct 22, 2018

Report ARES_ENOTFOUND for .onion domain names.
Quoting RFC 7686:

    Name Resolution APIs and Libraries (...) MUST either respond
    to requests for .onion names by resolving them according to
    [tor-rendezvous] or by responding with NXDOMAIN.

    A legacy client may inadvertently attempt to resolve a .onion
    name through the DNS. This causes a disclosure that the client
    is attempting to use Tor to reach a specific service. Malicious
    resolvers could be engineered to capture and record such leaks,
    which might have very adverse consequences for the well-being
    of the user.

Bug: c-ares#196

bradh352 added a commit that referenced this issue Oct 23, 2018

Report ARES_ENOTFOUND for .onion domain names as per RFC7686. (#228)
Quoting RFC 7686:

    Name Resolution APIs and Libraries (...) MUST either respond
    to requests for .onion names by resolving them according to
    [tor-rendezvous] or by responding with NXDOMAIN.

    A legacy client may inadvertently attempt to resolve a .onion
    name through the DNS. This causes a disclosure that the client
    is attempting to use Tor to reach a specific service. Malicious
    resolvers could be engineered to capture and record such leaks,
    which might have very adverse consequences for the well-being
    of the user.

Bug: #196
Fix By: Ben Noordhuis @bnoordhuis
@bradh352

This comment has been minimized.

Member

bradh352 commented Oct 23, 2018

fixed per #228

@bradh352 bradh352 closed this Oct 23, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment