Opened 3 years ago

Closed 6 months ago

#16971 closed enhancement (fixed)

Testing tor networks use external DNS for dns checks

Reported by: teor Owned by:
Priority: Low Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: unspecified
Severity: Normal Keywords: tor-testing chutney-related dns
Cc: Actual Points:
Parent ID: #21903 Points:
Reviewer: Sponsor:


When I launch a test network using make test-network / chutney on OS X, and leave it running for about a minute, one of the tor processes makes DNS calls.

I discovered this because LittleSnitch told me tor was trying to connect to the local network's DNS server. I don't know where this happens in the tor code.

Marking this as major / Post027Freeze as it could be an information leak. Alternately, it could be an attempt to look up an address that chutney is (mis)configuring for tor.

I'm not quite sure how to tell the difference between an information leak and a misconfiguration, it may take me some time.

Child Tickets

Change History (10)

comment:1 Changed 3 years ago by teor

The first DNS connection happens approximately 90 seconds after running src/test/ --sleep 120 with the new default bridges+hs chutney flavour. The DNS request seems to happen regardless of chutney flavour, so it's coming from the authority, relay, or client code.

I checked the following flavours:

  • bridges+hs (default)
  • basic-min
  • bridges
  • bridges+ipv6
  • hs
  • ipv6-exit-min

The DNS request can be cancelled (by LittleSnitch) and the chutney tests still succeed. If the connection attempt remains blocked (the LittleSnitch dialog is kept open), all other network communication from tor stops. (So the request is happening on the main tor thread, not some other OS X-created thread.)

If --sleep is set low enough, the entire test can run successfully, and the tor processes terminate, before the DNS query is even sent.

comment:2 Changed 3 years ago by teor

Keywords: lorax added; Post027Freeze TorCoreTeam201509 removed
Milestone: Tor: 0.2.7.x-finalTor: 0.2.???
Priority: majorminor
Summary: Testing tor networks use external DNSTesting tor networks use external DNS for dns checks
Type: defectenhancement
Version: Tor: unspecified

I checked using wireshark and the DNS queries are from tor's dns_launch_wildcard_checks and dns_launch_correctness_checks.

Do we want to have a way of disabling external network access (including DNS) for test networks?

I can imagine there are scenarios where this would be useful, but I'm not sure if it's a priority for anyone.

comment:3 Changed 3 years ago by nickm

I think that if we want to move forward on this, the Right Thing isn't to mess with the Tor code, but to run a little fake DNS server as part of the test network.

comment:4 Changed 3 years ago by teor

I'm pretty sure this is the cause for #15353 - Some chutney tests fail when localhost is the only available IP.

The local DNS server would fix this issue, too.

comment:5 Changed 16 months ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:6 Changed 15 months ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:7 Changed 11 months ago by teor

Parent ID: #21903
Severity: Normal

I think #21903 will fix this.

comment:8 Changed 10 months ago by nickm

Keywords: tor-03-unspecified-201612 removed

Remove an old triaging keyword.

comment:9 Changed 9 months ago by nickm

Keywords: tor-testing chutney-related dns added; lorax removed

comment:10 Changed 6 months ago by teor

Resolution: fixed
Status: newclosed

Fixed in #21903, users can now specify --offline.

Note: See TracTickets for help on using tickets.