Delivery-Date: Fri, 27 Jun 2014 08:42:11 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id AD4141E0044
	for <archiver@seul.org>; Fri, 27 Jun 2014 08:42:09 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 49DF02F624;
	Fri, 27 Jun 2014 12:42:09 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 304642F976
 for <tor-talk@lists.torproject.org>; Fri, 27 Jun 2014 12:28:34 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id NvTbgGs1MPcC for <tor-talk@lists.torproject.org>;
 Fri, 27 Jun 2014 12:28:34 +0000 (UTC)
Received: from glue.grepular.com (glue.grepular.com
 [IPv6:2001:470:1f09:450:731f:e912:44e3:1001])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx1.grepular.com",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 77AC32F877
 for <tor-talk@lists.torproject.org>; Fri, 27 Jun 2014 12:28:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=lists.grepular.com; s=glue1; 
 h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date;
 bh=VYjuwJRxyICK/fFAznOcvDayhER2AT/RgerFMnnwl7o=; 
 b=l4WLQtRh6Mx2cKUP1qmPF/ObGztAkZNy3C+t+rcmyDN+h6jXvKytyWNoGutGU2b6h7H5yiScQst7QyIDBFPZvX/wuaFVleuvMSLnOtpDH1FEUu+zjyl1ZhtHuaYBNENKKoF/B/ZhEEIU83sgS+DXaPPYWsGxY20vzMb6SrpLVgo=;
Received: from mike by glue.grepular.com with local (Exim 4.83_RC2)
 (envelope-from <tor@lists.grepular.com>) id 1X0VGR-0006PC-Rd
 for tor-talk@lists.torproject.org; Fri, 27 Jun 2014 13:28:23 +0100
Date: Fri, 27 Jun 2014 13:28:23 +0100
From: Mike Cardwell <tor@lists.grepular.com>
To: tor-talk@lists.torproject.org
Message-ID: <20140627122823.GA24344@glue.grepular.com>
References: <1403807918.66732.YahooMailNeo@web122404.mail.ne1.yahoo.com>
 <CCD34AB1-E857-4144-95CE-E2145CF4C9E5@cl.cam.ac.uk>
MIME-Version: 1.0
In-Reply-To: <CCD34AB1-E857-4144-95CE-E2145CF4C9E5@cl.cam.ac.uk>
Subject: Re: [tor-talk] How does DNS work with .onion addresses?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============7909304447345225596=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


--===============7909304447345225596==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="5vNYLRcllDrimb99"
Content-Disposition: inline


--5vNYLRcllDrimb99
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* on the Fri, Jun 27, 2014 at 12:48:27PM +0100, Steven Murdoch wrote:

>> I know that when the TBB connects to a 'normal' .com or .org or
>> whatever address then the DNS resolution is done by the exit node.
>> There is no need anymore (not for several years now) for the client
>> to set-up DNS manually (as used to be the case with Polipo
>> or Privoxy).
>>=20
>> However, how does DNS work for .onion?  I assume that each exit node
>> understands how to route traffic for all .onion addresses? How does
>> it know how to direct the client request?
>=20
> For .onion addresses, DNS is not used. Your Tor client receives a
> SOCKS connect request for a .onion address and recognises it as a
> hidden service request. Your Tor client then performs the
> hidden-service rendezvous procedure, including looking up the current
> introduction point in the hidden service distributed hash table (as
> your traffic never leaves the Tor network, there's no exit
> node involved).

There is an exception to this rule. If you use DNSPort + TransPort +
VirtualAddrNetwork + AutomapHostsOnResolve, Tor provides a DNS resolver.
And if you perform an A/AAAA record lookup for a .onion domain against
that DNS resolver, then it will pick a unique IP address from a pool you
specified (10.0.0.0/8 or similar) and return that. It will then remember
the Onion->IP mapping. It is then your job to intercept connections to
those IPs on your router and forward them to the host/port specified in
TransPort. Tor will see those connections and figure out the hidden
service you're trying to connect to by reversing the Onion->IP mapping
that it provided earlier during the DNS lookup.

This is why any device on my LAN can talk to hidden services, without
having to install Tor on each of them, albeit less securely than if
they all had Tor installed locally of course.

--=20
Mike Cardwell  https://grepular.com https://emailprivacytester.com
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4

--5vNYLRcllDrimb99
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQGGBAEBCgBwBQJTrWNnMBSAAAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu
Z0BwZ3AuY29tcGdwbWltZTgUgAAAAAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt
aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBDuvB/0en2WY/9zG
LJa97SW327bKdajAmu71nG/WgMHqJvG0WNX+y1xc1yEJw3ge9bELpAMaiHvJ5uAB
8cUdqwvqkoQ+G2AavPpILtgWpHxwVRZucmPvsH6x8KFnlrZ6tF5PVE/rjyQ4fGRv
xV/rW+eqCktTlbN3qe8NE0AH3zREVGEebzoCBoReIFWY5cZd996iNPzeOkx6/BJA
a/UYlg+xrb8ogaN6ANwAjsRl1LB68F8yErZlsay2yNrbAuBfXihxL+ZVfY0+36UA
IMl0ZuNXf1k2Z9efwkukfddHJ6PBoS/XxP2fcWyAZl+XBm5cplo9SUDoFVKiwhDH
iSpa9YDHLbaI
=qhI9
-----END PGP SIGNATURE-----

--5vNYLRcllDrimb99--

--===============7909304447345225596==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============7909304447345225596==--

