Curl leaks .onion hostnames in DNS #543
Comments
|
It looks like you are referring specifically to section 2.2 from RFC7686. SHOULD NOT, so it's not a requirement but it's recommended. If any application that does not implement the Tor protocol does not perform .onion DNS lookups then wouldn't there be a break in the usage of Tor's transparent proxy mode? |
|
SHOULD NOT is still a requirement; please have a read of RFC2119. |
|
I find it peculiar that a new standard imposes restrictions on existing implementations that never claimed nor intended to support RFC7686. Tor users who're using curl are probably quite used to use the necessary SOCKS proxy anyway since curl doesn't support the Tor protocol natively, and when using the correct SOCKS type curl will not attempt to resolve the host name locally but will instead pass it on to the proxy. I wouldn't mind adding support for RFC7686 in the sense that we can offer blocking of ".onion" names - probably even by default, but I don't think we should do it unconditionally since:
|
|
Given the list of things @bagder just mentioned, shouldn't this bug actually be opened against the resolver? The resolver knows whether or not it's going to emit a DNS packet, and that's the point at which this lookup should fail. I don't see why this is curl's problem at all. |
|
That's my gut reaction too, but the RFC clearly spells out "Application Software" separate from "Name Resolution APIs and Libraries" in section 2. |
|
Hmm. In that case, perhaps we should propose an erratum to the RFC? Because the number of applications using DNS has got to be in the millions, while the number of actual resolvers being used is far fewer. Seems like it's got to be easier to fix it both in the right place and in the place with fewer implementations, right? |
|
The big camel in the tent is the ugly search path issue in resolvers. We should have killed that feature in the DNS resolution algorithm tens of years ago.
Patrik
|
|
Wouldn't this break |
Seems like semantics; if you are referring to it as a requirement level then by that measure they're all requirements. I meant it's not "REQUIRED" as in "SHOULD NOT" == "NOT RECOMMENDED". |
|
".onion"-ignoring is being implemented for Firefox in bug 1228457 |
|
This is docs for Firefox's handling of this: https://developer.mozilla.org/en-US/Firefox/Releases/46#Networking |
|
Isn't this fixed by using the --dns-server and --socks5 flags with curl? Compile curl with those options and point --dns-server at your Tor DNSPort (configure this in torrc file). |
DNS requests over such domains are not recommended, currently it is possible to find out which onion domain the user requested if he didn't used a proxy. Fixes curl#543
DNS requests over such domains are not recommended, currently it is possible to find out which onion domain the user requested if he didn't used a proxy. Fixes curl#543
DNS requests over such domains are not recommended, currently it is possible to find out which onion domain the user requested if he didn't used a proxy. Fixes curl#543
RFC 7686 states that: > Applications that do not implement the Tor > protocol SHOULD generate an error upon the use of .onion and > SHOULD NOT perform a DNS lookup. Let's do that. https://www.rfc-editor.org/rfc/rfc7686#section-2 Add test 1471 and 1472 to verify Fixes #543 Closes #10705
Curl sends DNS requests for hostnames with a .onion TLD. This leaks information about what the user is attempting to access, and violates this requirement of RFC7686:
"Applications that do not implement the Tor protocol SHOULD generate an error upon the use of .onion and SHOULD NOT perform a DNS lookup."
I'd suggest a configuration flag for "look up .onion addresses" that defaults to "false", with an accompanying error message. You could tie it into SOCKS configuration, etc. but that's probably overkill for now.
The text was updated successfully, but these errors were encountered: