Re: Basic, yet detailed, Tor questions.

On Sun, 11 Sep 2005 16:15:11 GMT, "Jeffrey F. Bloss"
<jbloss@xxxxxxxxxxxxxxxxxxxxxx> wrote:

>On Sun, 2005-09-11 at 02:56 -0700, A.Melon wrote:
>> "Jeffrey F. Bloss" <jbloss@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>
>> > If DNS resolution is being done in the clear, there's always a risk. Your
>> > DNS server has to get it's information from somewhere. :(
>>
>> Point taken. I think I need to find a different program to use than Privoxy.
>> It's slow and just doesn't work properly for me half the time, no matter what
>> futzing I do with the settings.
>
>I don't believe the problem is Privoxy. If you comment out the "forward
>SOCKS...." line and run it without tor, I think you'll find that
>throughput is indistinguishable from a naked connection.
>
>> Don't suppose anyone's written a basic DNS proxy to work alongside Tor?
>
>I wish I could think of the other popular local (Windows) proxy that did
>DNS caching, and even read ahead. Name began with an 'N' I think (?)...
>Damnit! The name escapes me at the moment. It's hell getting old. :(
>
>It's really irrelevant because I don't believe this proxy spoke SOCKS,
>but I wanted to rephrase your question a bit....
>
>Why hasn't someone modified privoxy to capture/force remote DNS, then
>cache the results locally (and securely) so that over time DNS
>resolution becomes a total non-issue. ;)
>
>Anyway, the other possibility that comes to mind (vaguely) for the
>Windows platform is Allegro. It's trialware, and about $80 if memory
>serves. Not sure about anything but the name here, but it's worth
>looking into.
>
>Good hunting.

let me add this note about privoxy and Tor. it was written by another but you
may find it of interest.

On Mon, Aug 09, 2004 at 08:22:12AM -0400, Patrick McFarland wrote:
> On Mon, 9 Aug 2004 04:34:27 -0400, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
[...]
> > I believe that this only happens when you are using Tor as a socks
> > proxy from Mozilla directly. But you shouldn't do that; you lose
> > anonymity when your own host connects to the DNS server! You should
> > use privoxy as a HTTP proxy instead; see doc/CLIENTS in the Tor
> > distribution for more information about why and how.
>
> Privoxy doesn't support ipv6, however.

For the use case we're talking about, privoxy doesn't *need* IPv6.
Here's what's going on. (At least, here's what I *think* is going on;
I don't have a copy of Opera to test against.)

The original poster is (it seems) using Tor as a SOCKS 5 proxy from
his browser. When he goes to a dual IPv4/v6 site, these steps occur:
1. The web browser does a DNS lookup for the site's hostname.

(As soon as this happens, the user's anonymity is lost: the DNS
request has gone over the network in the clear, and any
eavesdropper can tell that the user is interested in connecting
to the target host.)

2. The web browser gets some A records (IPv4) and some AAAA
records (IPv6) back.

3. The web browser decides that it likes v6 better than v4, and
tells Tor, via SOCKS, "please connect to this IPv6 address."
Tor doesn't do IPv6, and gives up.

Even though privoxy doesn't support IPv6, it will still work fine in
this case. When Privoxy is set up as your HTTP proxy, and is set to
forward request to Tor via socks4a, here's what happens:

1. The web browser sends an HTTP request to privoxy. This request
includes the hostname of the target webserver, so no DNS
resolution has taken place.

2. Privoxy sends a SOCKS 4A request to Tor. Again, this request
includes the hostname of the target websserver, so no DNS
resolution has taken place.

3. Your local Tor process transmits the request, along an
encrypted multi-server circuit, to a different Tor server,
which resolves the hostname for you, and connects to any IPv4
address it finds (since Tor doesn't support IPv6 now).

So in this case, you get two good things and a workaround:
Good thing 1: You aren't blowing your anonymity by doing the DNS
resolve yourself.

Good thing 2: Privoxy cleans identifying information from your HTTP
request, which Tor does not do itself.

Workaround: Because the DNS resolve is happening from within a
remote Tor process that ignores IPv6 addresses, it won't get
confused by having both AAAA records and A records for a single
server.

I hope this explained why using an HTTP proxy is important
_independently_ from IPv6/v4 issues; and why it is a good workaround
for those too.

yrs,
--
Nick Mathewson
(PGP key will change on 15Aug2004; see http://wangafu.net/key.txt)

Regards,
roadburner
.

Relevant Pages

  • Re: MAC address spoofing.
    ... Tor setup and connections to know what software is behaving and what ... >> the last Tor node queries its DNS so your IP is not quering the DNS, ... or "forcing" anonymous DNS requests as it is more a matter of Privoxy ...
    (alt.privacy)
  • Re: Tor and DNS servers.
    ... > There is one thing regarding Tor that I do not understand. ... > Without using Privoxy the problem is that of the hostname-IP resolution ... > And if that is the case is my ISPs DNS server queried first? ... requests and pass them on through Tor. ...
    (alt.privacy)
  • Re: Using Tor onion routing to protect your ID and evade censors
    ... You can protect your browsing and posting privacy by using Tor onion ... If DNS blocking, like what the proposed Protect ... other encrypted proxy that uses the whatever DNS ...
    (uk.legal)
  • Re: Best way to reduce load on DNS server??
    ... >>it's cached and you don't look it up again until the TTL expires or ... Whether you look it up in DNS or Hosts makes no ... >>there is no DNS request made. ... Privoxy creates a log file giving ...
    (microsoft.public.win2000.dns)
  • Re: MAC address spoofing.
    ... ISP can get your MAC address and use that to identify you, ... using their own MAC/IP so using things like Tor or SSH tunnels hide both. ... with the last tor node - the users MAC address (whether changed or not and ... means that the last Tor node queries its DNS so your IP is not quering ...
    (alt.privacy)