Drop DNS request for ".onion" special-use domain name #196

MarkTiedemann · 2018-05-21T22:33:41Z

See: https://tools.ietf.org/html/rfc7686

Name Resolution APIs and Libraries (...) MUST either respond to requests for .onion names by resolving them according to [tor-rendezvous] or by responding with NXDOMAIN.

A legacy client may inadvertently attempt to resolve a .onion name through the DNS. This causes a disclosure that the client is attempting to use Tor to reach a specific service. Malicious resolvers could be engineered to capture and record such leaks, which might have very adverse consequences for the well-being of the user. This issue is mitigated if the client's software is updated to not leak such queries or updated to support [tor-rendezvous], or if the client's DNS software is updated to drop any request to the .onion special-use domain name.

bradh352 · 2018-06-23T23:02:42Z

Seems like a reasonable request, if you happen to have a patch, we'll review it. Otherwise it may take a little time for a developer to make this change.

MarkTiedemann · 2018-06-26T17:56:06Z

@bradh352 I have no patch yet, as well as no experience in writing C++, but I might give it a shot.

Quoting RFC 7686: Name Resolution APIs and Libraries (...) MUST either respond to requests for .onion names by resolving them according to [tor-rendezvous] or by responding with NXDOMAIN. A legacy client may inadvertently attempt to resolve a .onion name through the DNS. This causes a disclosure that the client is attempting to use Tor to reach a specific service. Malicious resolvers could be engineered to capture and record such leaks, which might have very adverse consequences for the well-being of the user. Bug: c-ares#196

@bnoordhuis

Quoting RFC 7686: Name Resolution APIs and Libraries (...) MUST either respond to requests for .onion names by resolving them according to [tor-rendezvous] or by responding with NXDOMAIN. A legacy client may inadvertently attempt to resolve a .onion name through the DNS. This causes a disclosure that the client is attempting to use Tor to reach a specific service. Malicious resolvers could be engineered to capture and record such leaks, which might have very adverse consequences for the well-being of the user. Bug: #196 Fix By: Ben Noordhuis @bnoordhuis

bradh352 · 2018-10-23T13:48:17Z

fixed per #228

@bnoordhuis

…#228) Quoting RFC 7686: Name Resolution APIs and Libraries (...) MUST either respond to requests for .onion names by resolving them according to [tor-rendezvous] or by responding with NXDOMAIN. A legacy client may inadvertently attempt to resolve a .onion name through the DNS. This causes a disclosure that the client is attempting to use Tor to reach a specific service. Malicious resolvers could be engineered to capture and record such leaks, which might have very adverse consequences for the well-being of the user. Bug: c-ares#196 Fix By: Ben Noordhuis @bnoordhuis

bnoordhuis mentioned this issue Oct 22, 2018

Report ARES_ENOTFOUND for .onion domain names. #228

Merged

bradh352 closed this Oct 23, 2018

c-ares / c-ares

Drop DNS request for ".onion" special-use domain name #196

Drop DNS request for ".onion" special-use domain name #196

MarkTiedemann commented May 21, 2018

bradh352 commented Jun 23, 2018

MarkTiedemann commented Jun 26, 2018

bradh352 commented Oct 23, 2018

c-ares / c-ares

Drop DNS request for ".onion" special-use domain name #196

Drop DNS request for ".onion" special-use domain name #196

Comments

MarkTiedemann commented May 21, 2018

bradh352 commented Jun 23, 2018

MarkTiedemann commented Jun 26, 2018

bradh352 commented Oct 23, 2018