Delivery-Date: Sat, 28 Jun 2014 14:41:46 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id F304B1E0BC7
	for <archiver@seul.org>; Sat, 28 Jun 2014 14:41:43 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id A1DA92F78F;
	Sat, 28 Jun 2014 18:41:42 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 9C9DB2F785
 for <tor-talk@lists.torproject.org>; Sat, 28 Jun 2014 18:37:58 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id VM2IvaFgFyim for <tor-talk@lists.torproject.org>;
 Sat, 28 Jun 2014 18:37:58 +0000 (UTC)
Received: from nm45.bullet.mail.ne1.yahoo.com (nm45.bullet.mail.ne1.yahoo.com
 [98.138.120.52])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 78E452F756
 for <tor-talk@lists.torproject.org>; Sat, 28 Jun 2014 18:37:58 +0000 (UTC)
Received: from [127.0.0.1] by nm45.bullet.mail.ne1.yahoo.com with NNFMP;
 28 Jun 2014 18:37:56 -0000
Received: from [98.138.226.178] by nm45.bullet.mail.ne1.yahoo.com with NNFMP;
 28 Jun 2014 18:35:15 -0000
Received: from [98.138.101.173] by tm13.bullet.mail.ne1.yahoo.com with NNFMP;
 28 Jun 2014 18:35:15 -0000
Received: from [127.0.0.1] by omp1084.mail.ne1.yahoo.com with NNFMP;
 28 Jun 2014 18:35:15 -0000
X-Yahoo-Newman-Property: ymail-4
X-Yahoo-Newman-Id: 776469.33961.bm@omp1084.mail.ne1.yahoo.com
Received: (qmail 32801 invoked by uid 60001); 28 Jun 2014 18:35:15 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024;
 t=1403980515; bh=XDXE7rQaPkyzPBBruHxdjT63wX9sqSRh/+GeGpGiBD0=;
 h=References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type;
 b=CrJRQVj2BBZ7SfCaSCPa3Rxed00+FBLDERJqegIEiYjwCVyL/4mRzBEzp9SUGIwX8merG0uu0jOLC6bnymRdd1jt/os5qexIkBdN7yyr36dXIyEizL25zNbXnNarNpC76ncpg5KSuDgWBE7fjMMrsVfCBVcUmQHaOUCusEBWOis=
X-YMail-OSG: .DFzalsVM1mloj7lgPXKbKaUkCVrzGbhhJ4SK6rJIUiQL2r
 77UZXQqiG.wNpDLQxrL6Y3dmaoXn2zMM4cLpObsn44BKmCMw1lRMyKjmh_ZX
 aCtoPJQA2dnnuClxpC0Fc5dw5F78IdsywhjJV3JKTjPFuNcW4ZYwjhQH9ICx
 VNI7lVycCxArvJl2QBJ2kYYqWtH.E49EVUrglsljPW6HIn6cMsuAUf6hmJKS
 z99c3eev5ucLQf.eYkpbtzq4Y84FsL4akECjA.g2.Q5u.cUGhd7QvmcZ3j18
 XtnAUGykba3ljyd8Bj.IdYjjYA7IhwBIlVmjlESgHFnL1i_o5OOStDCmmNku
 gO_drak9.7lMT9BBk4_n3ixBr8.8qH9gHoWkg.OJVajuQGg_zDsta53GiElQ
 3J3mJBvgGZT.JRpxeF0CQx36ZcMnqyuq1j6EsIJQzo1zz1lwZVHrxbHYWzK9
 e..rgHTZU3anHvryxfoyi4VDWYRg2OchQJE454UefpMml7.jyNRjyQAMysxf
 sMf0IUV024BwC10FRFWdFBbmMF81syXABHpeVk8AUQLqTqJwIzTokQ4op5MZ
 0JtzZsejjzBbCU8xcEi7XNEA6MP4cIqkY1C42HI2u8kmHFHH6n2vhua6auul
 KSErkW.SH1rL1_tXK3fmdsca3yEUtBGKwOhx0F4Wipq4ka8ifW8eNNJ9d9pm
 Pxc2Eo4ApENP73oIwMxDLafMYCg4bHQ--
Received: from [46.246.52.10] by web122401.mail.ne1.yahoo.com via HTTP;
 Sat, 28 Jun 2014 11:35:15 PDT
X-Rocket-MIMEInfo: 002.001,
 VGhhbmsgeW91IGZvciB5b3VyIGluZm9ybWF0aXZlIHJlc3BvbnNlLgoKCj4.PkZvciAub25pb24gYWRkcmVzc2VzLCBETlMgaXMgbm90IHVzZWQuIFlvdXIgVG9yIGNsaWVudCByZWNlaXZlcyBhIFNPQ0tTIApjb25uZWN0IHJlcXVlc3QgZm9yIGEgLm9uaW9uID4.PmFkZHJlc3MgYW5kIHJlY29nbmlzZXMgaXQgYXMgYSBoaWRkZW4gCnNlcnZpY2UgcmVxdWVzdC4gWW91ciBUb3IgY2xpZW50IHRoZW4gcGVyZm9ybXMgdGhlIGhpZGRlbi1zZXJ2aWNlIAo.Pj5yZW5kZXp2b3VzIHByb2NlZHVyZSwgaW5jbHVkaW4BMAEBAQE-
X-Mailer: YahooMailWebService/0.8.191.1
References: <1403807918.66732.YahooMailNeo@web122404.mail.ne1.yahoo.com>
 <CCD34AB1-E857-4144-95CE-E2145CF4C9E5@cl.cam.ac.uk>
 <20140627122823.GA24344@glue.grepular.com>
Message-ID: <1403980515.3174.YahooMailNeo@web122401.mail.ne1.yahoo.com>
Date: Sat, 28 Jun 2014 11:35:15 -0700
From: Bobby Brewster <bobbybrewster203@yahoo.com>
To: "tor-talk@lists.torproject.org" <tor-talk@lists.torproject.org>
In-Reply-To: <20140627122823.GA24344@glue.grepular.com>
MIME-Version: 1.0
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: Re: [tor-talk] How does DNS work with .onion addresses?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Thank you for your informative response.


>>>For .onion addresses, DNS is not used. Your Tor client receives a SOCKS =

connect request for a .onion >>>address and recognises it as a hidden =

service request. Your Tor client then performs the hidden-service =

>>>rendezvous procedure, including looking up the current introduction =

point in the hidden service distributed >>>hash table (as your traffic =

never leaves the Tor network, there's no exit node involved). =


I should have read the Tor Project documentation about hidden services firs=
t.

I take your point: the client requests the .onion address, goes to the dist=
ributed hash table in the directory server, learns where the introduction n=
odes are for that .onion address, and sets up a rendez-vous point. Hence, a=
s you point out, all is done within the Tor network and hence there is no n=
eed for DNS resolution.


> Is it possible for DNS to leak with .onion?

>>>There
 are people who survey DNS, and they report that there are quite a lot =

of requests for .onion. Some of >>>these are people clicking on .onion =

links without Tor, but some could be the result of DNS leaks.

I would hope that if one is using the TBB then such leakage would not occur.



On Friday, June 27, 2014 2:12 PM, Mike Cardwell <tor@lists.grepular.com> wr=
ote:
 =



* on the Fri, Jun 27, 2014 at 12:48:27PM +0100, Steven Murdoch wrote:


>> I know that when the TBB connects to a 'normal' .com or .org or
>> whatever address then the DNS resolution is done by the exit node.
>> There is no need anymore (not for several years now) for the client
>> to set-up DNS manually (as used to be the case with Polipo
>> or Privoxy).
>> =

>> However, how does DNS work for .onion?=A0 I assume that each exit node
>> understands how to route traffic for all .onion addresses? How does
>> it know how to direct the client request?
> =

> For .onion addresses, DNS is not used. Your Tor client receives a
> SOCKS connect request for a .onion address and recognises it as a
> hidden service request. Your Tor client then performs the
> hidden-service rendezvous procedure, including looking up the current
> introduction point in the hidden service distributed hash table (as
> your traffic never leaves the Tor network, there's no exit
> node involved).

There is an exception to this rule. If you use DNSPort + TransPort +
VirtualAddrNetwork + AutomapHostsOnResolve, Tor provides a DNS resolver.
And if you perform an A/AAAA record lookup for a .onion domain against
that DNS resolver, then it will pick a unique IP address from a pool you
specified (10.0.0.0/8 or similar) and return that. It will then remember
the Onion->IP mapping. It is then your job to intercept connections to
those IPs on your router and forward them to the host/port specified in
TransPort. Tor will see those connections and figure out the hidden
service you're trying to connect to by reversing the Onion->IP mapping
that it provided earlier during the DNS lookup.

This is why any device on my LAN can talk to hidden services, without
having to install Tor on each of them, albeit less securely than if
they all had Tor installed locally of course.

-- =

Mike Cardwell=A0 https://grepular.com https://emailprivacytester.com
OpenPGP Key=A0 =A0 35BC AF1D 3AA2 1F84 3DC3=A0  B0CF 70A5 F512 0018 461F
XMPP OTR Key=A0  8924 B06A 7917 AAF3 DBB1=A0  BF1B 295C 3C78 3EF1 46B4

-- =

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- =

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

