Opened 5 years ago

Closed 5 years ago

#16813 closed defect (worksforme)

Tor Browser + nscd leaks Tor DNS to System Cache to System DNS Servers

Reported by: teor Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: TorBrowserTeam201509
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by teor)

From IRC #tor

I would like to share with you one interesting findings that I did recently and that is big security flaw related to using the tor
simply said, a lot of distributions use by default enabled nscd and nscd leaks the cached data to the system wide nameserver by refreshing its cache entries, eg:
you have your browser configured to use SOCKS proxy including DNS requests going through .. these dns replies ends up in nscd and nscd periodically refreshes the entries by asking system-wide set nameservers
so maybe the solution would be that TOR also check if nscd is running and on information level notices user that this might happen
howto reproduce it: enable nscd (if not enabled) and from terminal with root'
s shell do `tcpdump -i $your_lan_iface port 53' ... you'll see periodically that your "tor browsed" sites leaks via DNS requests to your "normal" DNS
I hope that this information will be useful for somebody

nettezzz: is this for the latest version of tor?

it's for all versions of tor
whitanne_: probably a lot of linux users are not affected, but at least some major distros have enabled nscd by default - at least we in opensuse
also in nscd manpage is not this "feature" documented

nettezzz: it appears people have noticed this in the past:

so I re-inveneted wheel :)
Joost: I didn't find it even according to the tor ... I was seting up somewhere some SOCKS proxy and found it ... later on reproduced it with tor browser

it's mentioned in some places, I see now..

indeed sorry for alarming ppl then ... I thought I've discovered an americas

but imo it's odd, since it seems like quite a leak
nettezzz: don't be sorry! it appears that there is very little awareness of this

but anyhow, it happens still these days whilst the solution is probably rather simple 1) put this explicitely as a mention somewhere to tor browser, 2) adding a check tfor nscd to tor browser verification checks

nettezzz: maybe you could file a bug report or something

to be honest, I don't use tor and I don't even have a account to tor bugzilla ... so please fill bug for tor and I'm going to fill bug to our opensuse bugzilla that this is undocumented and probably insecure to have it by default enabled
I simply reproduced this with latest tor browser because it was obvious that any other SOCKS proxy solution forwarding dns queries via proxy will be affected

Child Tickets

Change History (6)

comment:1 Changed 5 years ago by teor

Description: modified (diff)

Split each part of the conversation by newlines for readability

comment:2 Changed 5 years ago by cypherpunks

What if to define $LOCALDOMAIN environment variable and to use fresh glibc?
Can somebody to trace what C function used so it wasn't used for actual resolve but somehow used to call nscd functions?

Version 0, edited 5 years ago by cypherpunks (next)

comment:3 Changed 5 years ago by DrMikeTwiddle

It's the same situation is OS X with mDNSResponder. Please refer to:

We really need some urgent answers on what's actually going on here.

comment:4 Changed 5 years ago by mikeperry

Keywords: TorBrowserTeam201509 added

comment:5 Changed 5 years ago by mikeperry

FWIW, I am unable to reproduce this. I installed nscd on an Ubuntu 14.04 machine, restarted Tor Browser, browsed with tcpdump watching port 53, and saw no DNS leaks.

I suspect that the answer on is right. Probably nscd cached an earlier non-TBB DNS query for something, and was refreshing it because the TTL expired, or for other reasons unrelated to TBB activity.

comment:6 Changed 5 years ago by gk

Resolution: worksforme
Status: newclosed

Seems this is WORKSFORME. Please, reopen with steps to reproduce this problem in case it still persists and is a Tor Browser issue.

Note: See TracTickets for help on using tickets.