Opened 4 years ago

Closed 4 years ago

#16813 closed defect (worksforme)

Tor Browser + nscd leaks Tor DNS to System Cache to System DNS Servers

Reported by: teor Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: TorBrowserTeam201509
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by teor)

From IRC #tor

nettezzz
hello
I would like to share with you one interesting findings that I did recently and that is big security flaw related to using the tor
simply said, a lot of distributions use by default enabled nscd and nscd leaks the cached data to the system wide nameserver by refreshing its cache entries, eg:
you have your browser configured to use SOCKS proxy including DNS requests going through .. these dns replies ends up in nscd and nscd periodically refreshes the entries by asking system-wide set nameservers
so maybe the solution would be that TOR also check if nscd is running and on information level notices user that this might happen
howto reproduce it: enable nscd (if not enabled) and from terminal with root'
s shell do `tcpdump -i $your_lan_iface port 53' ... you'll see periodically that your "tor browsed" sites leaks via DNS requests to your "normal" DNS
I hope that this information will be useful for somebody

whitanne_
nettezzz: is this for the latest version of tor?

nettezzz
it's for all versions of tor
whitanne_: probably a lot of linux users are not affected, but at least some major distros have enabled nscd by default - at least we in opensuse
also in nscd manpage is not this "feature" documented

Joost
nettezzz: it appears people have noticed this in the past: https://tor.stackexchange.com/questions/4350/tor-dns-cached

nettezzz
indeed
so I re-inveneted wheel :)
Joost: I didn't find it even according to the tor ... I was seting up somewhere some SOCKS proxy and found it ... later on reproduced it with tor browser

Joost
it's mentioned in some places, I see now.. https://www.reddit.com/r/TOR/comments/1jegou/tor_and_dns_leaks/cbebnin

nettezzz
indeed sorry for alarming ppl then ... I thought I've discovered an americas

Joost
but imo it's odd, since it seems like quite a leak
nettezzz: don't be sorry! it appears that there is very little awareness of this

nettezzz
but anyhow, it happens still these days whilst the solution is probably rather simple 1) put this explicitely as a mention somewhere to tor browser, 2) adding a check tfor nscd to tor browser verification checks

whitanne_
nettezzz: maybe you could file a bug report or something

nettezzz
to be honest, I don't use tor and I don't even have a account to tor bugzilla ... so please fill bug for tor and I'm going to fill bug to our opensuse bugzilla that this is undocumented and probably insecure to have it by default enabled
I simply reproduced this with latest tor browser because it was obvious that any other SOCKS proxy solution forwarding dns queries via proxy will be affected

Child Tickets

Change History (6)

comment:1 Changed 4 years ago by teor

Description: modified (diff)

Split each part of the conversation by newlines for readability

comment:2 Changed 4 years ago by cypherpunks

What if to define $LOCALDOMAIN environment variable and to use fresh glibc?
Can somebody to trace what C function used so it wasn't used for actual resolve but somehow used to call nscd functions?

Version 0, edited 4 years ago by cypherpunks (next)

comment:3 Changed 4 years ago by DrMikeTwiddle

It's the same situation is OS X with mDNSResponder. Please refer to: https://trac.torproject.org/projects/tor/ticket/16926

We really need some urgent answers on what's actually going on here.

comment:4 Changed 4 years ago by mikeperry

Keywords: TorBrowserTeam201509 added

comment:5 Changed 4 years ago by mikeperry

FWIW, I am unable to reproduce this. I installed nscd on an Ubuntu 14.04 machine, restarted Tor Browser, browsed with tcpdump watching port 53, and saw no DNS leaks.

I suspect that the answer on https://tor.stackexchange.com/questions/4350/tor-dns-cached is right. Probably nscd cached an earlier non-TBB DNS query for something, and was refreshing it because the TTL expired, or for other reasons unrelated to TBB activity.

comment:6 Changed 4 years ago by gk

Resolution: worksforme
Status: newclosed

Seems this is WORKSFORME. Please, reopen with steps to reproduce this problem in case it still persists and is a Tor Browser issue.

Note: See TracTickets for help on using tickets.