Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#16430 closed defect (implemented)

tor relay rejecting DNS names containing underscore

Reported by: starlight Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version: Tor: 0.2.6.9
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It appears the prohibition against
use of underscore characters in
DNS names is canonical rather than
a hard rule enforced by the DNS
system. The below DNS names are
rejected by tor though they
resolve properly.

Seems likely DNS handling should be
revised to allow it.

Your application (using socks5 to port 80) gave Tor a malformed hostname: "core3_euw1.fabrik.nytimes.com.". Rejecting the connection.
Your application (using socks5 to port 80) gave Tor a malformed hostname: "core1_euw1.fabrik.nytimes.com.". Rejecting the connection.
Your application (using socks5 to port 80) gave Tor a malformed hostname: "core4_euw1.fabrik.nytimes.com.". Rejecting the connection.
Your application (using socks5 to port 80) gave Tor a malformed hostname: "core15_euw1.fabrik.nytimes.com.". Rejecting the connection.
Your application (using socks5 to port 80) gave Tor a malformed hostname: "core15_euw1.fabrik.nytimes.com.". Rejecting the connection.
Your application (using socks5 to port 80) gave Tor a malformed hostname: "core13_euw1.fabrik.nytimes.com.". Rejecting the connection.
Your application (using socks5 to port 80) gave Tor a malformed hostname: "core14_euw1.fabrik.nytimes.com.". Rejecting the connection.
Your application (using socks5 to port 80) gave Tor a malformed hostname: "core10_euw1.fabrik.nytimes.com.". Rejecting the connection.
Your application (using socks5 to port 80) gave Tor a malformed hostname: "core14_euw1.fabrik.nytimes.com.". Rejecting the connection.
Your application (using socks5 to port 80) gave Tor a malformed hostname: "core20_euw1.fabrik.nytimes.com.". Rejecting the connection.
Your application (using socks5 to port 80) gave Tor a malformed hostname: "core20_euw1.fabrik.nytimes.com.". Rejecting the connection.
Your application (using socks5 to port 80) gave Tor a malformed hostname: "core10_euw1.fabrik.nytimes.com.". Rejecting the connection.

Child Tickets

Change History (10)

comment:1 Changed 4 years ago by yawning

It appears the prohibition against use of underscore characters in DNS names is canonical rather than

a hard rule enforced by the DNS system. The below DNS names are rejected by tor though they resolve properly.

It's not enforced by the DNS system on the server side because RFC 2181 says that DNS servers must serve broken zones. I'm indifferent here for the most part except that Tor should reject obviously malformed queries as early as possible to minimize network use.

RFC 1912:

   Allowable characters in a label for a host name are only ASCII
   letters, digits, and the `-' character.  Labels may not be all
   numbers, but may have a leading digit  (e.g., 3com.com).  Labels must
   end and begin only with a letter or digit.  See [RFC 1035] and [RFC
   1123].  (Labels were initially restricted in [RFC 1035] to start with
   a letter, and some older hosts still reportedly have problems with
   the relaxation in [RFC 1123].)  Note there are some Internet
   hostnames which violate this rule (411.org, 1776.com).  The presence
   of underscores in a label is allowed in [RFC 1033], except [RFC 1033]
   is informational only and was not defining a standard.

RFC 2181:

   Note however, that the various applications that make use of DNS data
   can have restrictions imposed on what particular values are
   acceptable in their environment.  For example, that any binary label
   can have an MX record does not imply that any binary name can be used
   as the host part of an e-mail address.  Clients of the DNS can impose
   whatever restrictions are appropriate to their circumstances on the
   values they use as keys for DNS lookup requests, and on the values
   returned by the DNS.

Someone should e-mail the New York Times and tell them that their zone file is busted, because things like: core3_euw1.fabrik.nytimes.com. 3600 IN A 54.229.241.196 is broken and horrible. Yes, things like DomainKeys use _ in CNAME records, but when a CNAME is (eventually) pointing to an A or AAAA record, it needs to follow the hostname rules, which is the situation that's relevant to Tor's SOCKS proxy.

comment:2 Changed 4 years ago by arma

Your hostnames appear to end in a dot, making them doubly invalid?

comment:3 Changed 4 years ago by starlight

Not mine!

Does appear the trailing dot is in the
page request, though it may be worth
noting that the trailing dot is added
by dig to requests if not provided
explicitly.

The article still exhibits the problem (as
of this post) and is at

www.nytimes.com/2015/06/28/sports/basketball/phil-jackson-knicks-triangle-offense-nba.html

DNS names are not find-able in the CTRL-U page
source and so probably are buried in some JavaScript,
an I-frame or are obfuscated somehow.

I have no opinion on this, but noticed the issue
and it seems to work in normal browsers which
motivated the ticket. Problem causes the
page to hang in Tor Browser.

comment:4 Changed 4 years ago by starlight

Does eventually load, though after a long pause
that might be CPU-bound rendering on the slow
system in use.

comment:5 Changed 4 years ago by yawning

Status: newneeds_review

https://github.com/Yawning/tor/compare/bug16430

Might as well relax the check. The Tor Browser people can cherry pick this if they want it, IMO no backport.

comment:6 Changed 4 years ago by nickm

Resolution: implemented
Status: needs_reviewclosed

Merged!

comment:7 Changed 4 years ago by starlight

Hate to spoil parties, but that trailing dot
appears to still be a problem. Running 0.2.6.10 with

https://gitweb.torproject.org/tor.git/commit/?id=3f336966a264d7cd7c6dab08fb85d85273f06d68

applied and just got

Jul 26 17:05:09 Tor[]: Your application (using socks5 to port 80) gave Tor a malformed hostname: "core3_euw1.fabrik.nytimes.com.". Rejecting the connection.
Jul 26 17:05:13 Tor[]: Your application (using socks5 to port 80) gave Tor a malformed hostname: "core5_euw1.fabrik.nytimes.com.". Rejecting the connection.
Jul 26 17:05:16 Tor[]: Your application (using socks5 to port 80) gave Tor a malformed hostname: "core5_euw1.fabrik.nytimes.com.". Rejecting the connection.
Jul 26 17:05:20 Tor[]: Your application (using socks5 to port 80) gave Tor a malformed hostname: "core9_euw1.fabrik.nytimes.com.". Rejecting the connection.
Jul 26 17:05:25 Tor[]: Your application (using socks5 to port 80) gave Tor a malformed hostname: "core3_euw1.fabrik.nytimes.com.". Rejecting the connection.
Jul 26 17:05:29 Tor[]: Your application (using socks5 to port 80) gave Tor a malformed hostname: "core3_euw1.fabrik.nytimes.com.". Rejecting the connection.

As observed earlier in this ticket, a trailing
dot is appears to be the DNS-request form
visible when working with the dig utility.

I have no opinion regarding what is correct,
just reporting what I see. Therefore I'm
leaving the ticket closed and will let others
decide.

comment:8 Changed 4 years ago by starlight

Today's problem page (took a minute to remember/test):

http://www.nytimes.com/interactive/2015/07/22/arts/dance/20150726-vogue.html

Should stick around for awhile.

comment:9 Changed 4 years ago by yawning

A single trailing dot probably should be allowed, though Firefox apparently has some odd behavior here (Eg: https://bugzilla.mozilla.org/show_bug.cgi?id=134402 also something with cookies, something with the password manager, etc.).

The dot started off as a BSD-ism to indicate to the resolver that the domain is absolute, FQDN isn't actually formally defined in the RFCs in a consistent manner (comment 28 in the mozilla bug has a summary), but dealing with it is easy.

Even among the tools shipped with BIND, dig and nslookup both deal with a trailing dot correctly while host spits back an error, which is amusing since I would have hoped they'd get it correct.

I'll fix this when I have a moment.

comment:10 Changed 4 years ago by yawning

Dot issue filed as #16674

Note: See TracTickets for help on using tickets.