Opened 2 years ago

Last modified 6 months ago

#16926 new defect

Multiple OS: Tor Browser leaks domains to system DNS management.

Reported by: DrMikeTwiddle Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-security
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Someone recently posted this bug:

https://trac.torproject.org/projects/tor/ticket/16813

Which describes what appeared to be a serious DNS leak from Tor to the Linux system’s DNS management, nscd.

But the same thing is happening on OS X with mDNSResponder.

The following command: sudo killall -INFO mDNSResponder will dump the contents of the DNS cache to system.log.

And within that I found one site that has *only* been visited via Tor Browser.

I’m not sure why it was only one after a heavy Tor session, and subsequent attempts to repeat this have not reproduced the problem.

Now I’ve learned this isn’t new, others have commented the same in the past:

https://maymay.net/blog/2013/02/20/howto-use-tor-for-all-network-traffic-by-default-on-mac-os-x/comment-page-1/#comment-965581

https://maymay.net/blog/2013/02/20/howto-use-tor-for-all-network-traffic-by-default-on-mac-os-x/comment-page-1/#comment-995659

I actually tested recent Tor Browser versions quite thoroughly from time to time with tcpdump and inspecting the dump either by grepping for IP addresses other than the expected entry node or inspecting in Wireshark and have never seen a ‘live’ DNS leak from Tor yet.

But it’s difficult to tell from the mDNSResponder dump in system.log if mDNSResponder is sometimes trying to look up domains visited over Tor in clearnet.

The comments in the above 2 links believe that is the case and they recommend mDNSResponder has to be disabled before Tor use.

The entry of the mDNSResponder dump in system log was:

Aug 30 02:29:23 mymachine mDNSResponder[39]: 78 4252 -U- Addr 4 tor-only-visited-site.com Addr 123.123.123.123

Can we get some *urgent* clarification about how Tor Browser is handling this ?

Is it merely the case that the system DNS service has to have access to sites Tor is connecting to but isn’t actually doing any DNS lookups in the clear but they are just (sometimes?) ending up in its cache?

Or is it the case that if DNS look ups over Tor fail or stall they being passed to the system to ‘have a go’ ? Can we get some answers please, because the information is currently extremely vague.

Note I believe in more recent versions of OS X mDNSResponder has been replaced with a service called discoveryd, but I’m using not using these later versions.

Tor Browser version is the latest 5.02 OS X

Child Tickets

Change History (19)

comment:1 Changed 2 years ago by cypherpunks

I’m not sure why it was only one after a heavy Tor session, and subsequent attempts to repeat this have not reproduced the problem.

Have you tried to visit the same "tor-only-visited-site.com" using the same browser settings (addons, javascript settings, noscript settings, security slider settings, etc)?

Now I’ve learned this isn’t new, others have commented the same in the past

Comment say about "browsing through Tor using Safari", it's different case not applied to Tor Browser.

comment:2 in reply to:  description Changed 2 years ago by someone_else

The application using Tor needs to avoid doing DNS queries. TBBs Firefox has the setting 'Remote DNS' enabled. Firefox has a DNS manager built in that is at least theoretically used for all DNS queries.

If 'Remote DNS' is enabled, that DNS manager will not do any DNS queries. Firefox will not do any DNS at all, it will just hand the host names to the socks proxy (Tor). The Tor client itself will not use DNS either, the exit node will resolve the host name.

Most applications don't properly handle socks and perform local DNS lookups when configured to use socks - Firefox is an exception.

Your network monitoring application may very well trigger DNS lookups.

comment:3 Changed 2 years ago by DrMikeTwiddle

@cypherpunks:

Have you tried to visit the same "tor-only-visited-site.com" using the same browser
settings (addons, javascript settings, noscript settings, security slider settings,
etc)?

Yes. I always surf with Security set to highest. It did make me wonder if the site in question had found some way round TB.

I did a lot of testing today with tor-only-visited-site.com and others trying to provoke the result, and so far I can't repeat it but nonetheless that one entry is there in the system.log dump from mDNSResponder

I need to make a clarification on the original report, that might help throw some light, the entry was actually a subdomain of tor-only-visited-site.com so it was:

server2.tor-only-visited-site.com

The site in question is a web based proxy site as I was trying to read something and tired of sites banning Tor exits, although I doubt that's significant.

@someone_else:

Your network monitoring application may very well trigger DNS lookups

I wasn't running tcpdump at the time (and when I do use the -n flag usually) or Wireshark. But I am running Little Snitch (application firewall), all Tor is allowed, but I block a lot of other software phoning home stuff with it.

Little Snitch runs as a kernel extension I believe.

Is it possible for LS to intercept queries from TB (presumably before they are encrypted and sent) and do a system DNS look up ??

Last edited 2 years ago by DrMikeTwiddle (previous) (diff)

comment:4 in reply to:  3 Changed 2 years ago by someone_else

Replying to DrMikeTwiddle:

Is it possible for LS to intercept queries from TB (presumably before they are encrypted and sent) and do a system DNS look up ??

The socks/TCP connection(s) from Firefox to Tor are not encrypted. But it's a local connection and it seems unlikely that the firewall would look at it and do DNS queries.

comment:5 Changed 2 years ago by teor

Some further information on OS X, mDNSResponder, and discoveryd:
discoveryd was a buggy replacement for mDNSResponder included in OS X Yosemite 10.10.0 - 10.10.3 inclusive. It was removed in 10.10.4.
http://www.macrumors.com/2015/06/30/apple-releases-os-x-10-10-4/

Some further information on LittleSnitch:
It seems unlikely that LittleSnitch is parsing hostnames from the middle of a SOCKS5 packet and looking them up. However, its domain-name based filter feature requires it to watch DNS requests and keep a record of name to IP mappings (reverse DNS doesn't work, so it doesn't use it).

"It therefore watches all DNS requests and responses on UDP and TCP
ports 53 and 5353, and remembers the names which led to a particular IP address"
https://www.obdev.at/ftp/pub/Products/LittleSnitch/LittleSnitch-Documentation-1.1.pdf

LittleSnitch needs to look at source and destination IPs in the IP headers of all packets sent and received by OS X. But for Tor Browser <-> Tor, this would be localhost <-> localhost.

It's unclear whether it parses packets from protocols FTP or SOCKS.
https://www.obdev.at/products/littlesnitch/index.html

comment:6 Changed 2 years ago by DrMikeTwiddle

@someone_else Thanks for the information

@teor - likewise, thanks for the info.

So it's still unclear if LS is responsible then. I have contacted the LS devs to try to shed some more light on this and made a report to them.

Hopefully they will comment soon.

It is strange it was only one site so far.

I am continuing to run more tests to try to repeat this and will update shortly. My only other guess, is if it were something going on in OS X itself.

Last edited 2 years ago by DrMikeTwiddle (previous) (diff)

comment:7 Changed 2 years ago by teor

Have you ever bookmarked tor-only-visited-site.com in another browser?
Safari on OS X will lookup favicons by making a connection to every site in its bookmarks, even if you never visit the site using Safari.

Some browsers and even other tools (ClipMenu, a clipboard manager) appear to connect to the Google Safe Browsing servers. But that shouldn't cause a DNS lookup, unless the app in question submits IP addresses rather than DNS names. (And it's possible to implement Safe Browsing using a local database of URL hashes, rather than a plaintext URL lookup.)
https://developers.google.com/safe-browsing/

I wonder if the Finder does either of these things for Finder URL bookmarks?
I wonder if the Dock does them, if you drag an OS X Finder URL bookmark into the Dock?

It may be worth writing up a list of every location on your Mac that you've ever used (bookmarked, pasted, typed) tor-only-visited-site.com. That would at least help you eliminate possible leak vectors.

comment:8 Changed 2 years ago by DrMikeTwiddle

teor:

Have you ever bookmarked tor-only-visited-site.com in another browser?

No absolutely not. And no other browsers were running. I never usually run another browser concurrently with TB.

It is the case that tor-only-visited-site.com happens to be bookmarked within Tor Browser (in fact it's the first bookmark manually added).

There are some older versions of TB on the same volume with 5.02 and I would have this bookmark in them too. At one point about a month back I might have exported the bookmark list from one version to import into another, but seem to have deleted any free floating bookmarks.html file since then.

But it's just too much of a coincidence from that being the last, or close to the last site I visited in that session. Furthermore it was a specific subdomain of tor-only-visited-site.com, that the site goes to automatically when you actually use it, and these subdomains appear to be numbered 1 to at least 8. So it was server2.tor-only-visited-site.com, not the bookmark itself.

It's clearly jumped from that Tor Browser session to mDNSResponder *somehow* , albeit we don't know how yet.

When I'd finished the session. I then hit New Identity. And then went to Terminal and did the command to dump the state of mDNSResponder. It was conspicuous as an entry there.

The rest of what you say is a reasonable line of inquiry too and I am aware of these kinds of potential leaks.

For instance Tor Browser Mac users need to know that Quicklook can and often will try to connect back to remote servers when viewing html documents in the Finder to grab some remote resource. That's one reason I put Little Snitch on to kill the Finder connecting to any remote server.

Also contextual mouse menus can sometimes have a web search or 'open URL' feature easily inadvertently activated. And the options in System Preferences turn them off don't seem to work. So care is needed if copying and pasting a URL from TB into Textedit or some similar app.

But none of that happened here.

I'm considering making what I have of mDNSResponder state dump available, or at least more of it as it may provide some better information to someone with more technical knowledge.

comment:9 Changed 2 years ago by DrMikeTwiddle

Update received from Little Snitch developer:

According to the description of the user the mDNSResponder itself cached the address so I would assume this issue is about a leak between the Tor Browser and the mDNSResponder.

Therefore it could be that the address was also listed in the Little Snitch Network Monitor for the mDNSResponder process.

Little Snitch itself reads the DNS Cache from the mDNSResponder but does not trigger lookups by its own and does not read the local packets.

Best regards,
Simon

He also mentions the URL presented here earlier (albeit with Safari):

https://maymay.net/blog/2013/02/20/howto-use-tor-for-all-network-traffic-by-default-on-mac-os-x/comment-page-1/#comment-965581

Last edited 2 years ago by DrMikeTwiddle (previous) (diff)

comment:10 Changed 2 years ago by cypherpunks

Last edited 2 years ago by cypherpunks (previous) (diff)

comment:11 Changed 2 years ago by DrMikeTwiddle

@cypherpunks

I lack the knowledge to assess the code, but very much believe you are correct in that it would seem unlikely . As an end user (and supporter of Tor) I’ve heavily tested TB (and also just regular Firefox+ VPN including with a bunch of plug ins in reg FF) and no leak has ever come up in formal testing, in Wireshark, tcpdump, and so on. Ever.

That’s why I’m so surprised. Of course it is difficult for me to assess how broken my own system is. It’s not impossible I’ve installed something at some point in time to the system itself that could be a factor. I can’t rule that out. But it would have to be something that explicitly grabs a URL out of the address bar and does a DNS look up on it but *extremely infrequently*.

And because this is so infrequent - it’s happened only once and I can’t yet repeat it, it does make me feel it is not yet possible to rule out some leak, however odd or rare and difficult to trigger from TB or its pluggable transport packages (like obsf3/4 which I tend to use due to ISP problems here)

I see a new bug has been filed by teor about a potential leak from testing Tor (using chutney I think) OS X:

https://trac.torproject.org/projects/tor/ticket/16971

And then there was also the original report about DNS leaks on Linux.

My own testing is continuing.

comment:12 in reply to:  11 Changed 2 years ago by teor

Replying to DrMikeTwiddle:

I see a new bug has been filed by teor about a potential leak from testing Tor (using chutney I think) OS X:

https://trac.torproject.org/projects/tor/ticket/16971

It's not a bug, it's the Tor Exit behaving as designed by checking for DNS hijacking. See my latest comment on that ticket.

comment:13 Changed 2 years ago by DrMikeTwiddle

@teor, thanks for the clarification.

I guess I can't use Tor on OS X anymore at least where anonymity is needed.

Now I couldn't repeat the event. But one assumes if a tor-only-visited address is present in mDNSResponder's dump the system has indeed done a DNS look up outside of Tor. If there is something non-Tor on my system that has made this happen, just once, I would have no idea what it is.

Perhaps I could run a giant traffic capture for a week to see if some process can be pushed into looking up a URL that I didn't expect, but my feeling at the moment is nothing will be found. Hours-long tests so far have all come up with nothing since the leak.

There is one other option here: that is either the site concerned or the exit node at the time were running some zero-day exploit that didn't involve javascript. It seems unlikely, but that's the only other option and might explain why I couldn't repeat it.

comment:14 Changed 2 years ago by bugzilla

Severity: Normal

Probable reason: ticket:18937#comment:24

Last edited 15 months ago by bugzilla (previous) (diff)

comment:15 Changed 2 years ago by bugzilla

Keywords: tbb-security TorBrowserTeam201601 tbb-5.5 added
Severity: NormalMajor
Version: Tor: unspecified

comment:16 Changed 2 years ago by gk

Keywords: TorBrowserTeam201601 tbb-5.5 removed

comment:17 Changed 6 months ago by Dbryrtfbcbhgf

Any updates on whether this bug can be resolved?

And is this reason to be concerned.
User DrMikeTwiddle.
I guess I can't use Tor on OS X anymore at least where anonymity is needed.
Now I couldn't repeat the event. But one assumes if a tor-only-visited address is present in mDNSResponder's dump the system has indeed done a DNS look up outside of Tor. If there is something non-Tor on my system that has made this happen, just once, I would have no idea what it is.

Last edited 6 months ago by Dbryrtfbcbhgf (previous) (diff)

comment:18 Changed 6 months ago by Dbryrtfbcbhgf

Cc: jackiam2003@… added

comment:19 Changed 6 months ago by Dbryrtfbcbhgf

Cc: jackiam2003@… removed
Note: See TracTickets for help on using tickets.