Tor Browser + nscd leaks Tor DNS to System Cache to System DNS Servers
From IRC #tor
nettezzz hello I would like to share with you one interesting findings that I did recently and that is big security flaw related to using the tor simply said, a lot of distributions use by default enabled nscd and nscd leaks the cached data to the system wide nameserver by refreshing its cache entries, eg: you have your browser configured to use SOCKS proxy including DNS requests going through .. these dns replies ends up in nscd and nscd periodically refreshes the entries by asking system-wide set nameservers so maybe the solution would be that TOR also check if nscd is running and on information level notices user that this might happen howto reproduce it: enable nscd (if not enabled) and from terminal with root' s shell do `tcpdump -i $your_lan_iface port 53' ... you'll see periodically that your "tor browsed" sites leaks via DNS requests to your "normal" DNS I hope that this information will be useful for somebody
whitanne_ nettezzz: is this for the latest version of tor?
nettezzz it's for all versions of tor whitanne_: probably a lot of linux users are not affected, but at least some major distros have enabled nscd by default - at least we in opensuse also in nscd manpage is not this "feature" documented
Joost nettezzz: it appears people have noticed this in the past: https://tor.stackexchange.com/questions/4350/tor-dns-cached
nettezzz indeed so I re-inveneted wheel :) Joost: I didn't find it even according to the tor ... I was seting up somewhere some SOCKS proxy and found it ... later on reproduced it with tor browser
Joost it's mentioned in some places, I see now.. https://www.reddit.com/r/TOR/comments/1jegou/tor_and_dns_leaks/cbebnin
nettezzz indeed sorry for alarming ppl then ... I thought I've discovered an americas
Joost but imo it's odd, since it seems like quite a leak nettezzz: don't be sorry! it appears that there is very little awareness of this
nettezzz but anyhow, it happens still these days whilst the solution is probably rather simple 1) put this explicitely as a mention somewhere to tor browser, 2) adding a check tfor nscd to tor browser verification checks
whitanne_ nettezzz: maybe you could file a bug report or something
nettezzz to be honest, I don't use tor and I don't even have a account to tor bugzilla ... so please fill bug for tor and I'm going to fill bug to our opensuse bugzilla that this is undocumented and probably insecure to have it by default enabled I simply reproduced this with latest tor browser because it was obvious that any other SOCKS proxy solution forwarding dns queries via proxy will be affected