Opened 21 months ago

Closed 6 months ago

#17070 closed defect (fixed)

".local" is mDNS for the local network, but tor assumes localhost

Reported by: teor Owned by: jryans
Priority: Medium Milestone: Tor: 0.3.0.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: security lorax doc
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

tor_addr_hostname_is_local labels hostnames ending in ".local" as resolving to the loopback address. But ".local" is used for multicast DNS, so some names ending in ".local" may be on the local network(s), and not on 127.0.0.1 or ::1 or the associated netblocks.

https://en.wikipedia.org/wiki/Multicast_DNS

However, the current implementation is probably doing the right thing anyway, as allowing ".local" over SOCKS/Tor could open up access to servers or devices on Exit relays' local networks, which has security implications.

This may require a documentation change, or perhaps refactoring and review of all uses of tor_addr_hostname_is_local to see if they want only localhost, or local networks as well.

Child Tickets

Change History (11)

comment:1 Changed 20 months ago by nickm

  • Keywords lorax added
  • Milestone changed from Tor: 0.2.8.x-final to Tor: 0.2.???

comment:2 Changed 20 months ago by nickm

Move a few tickets out of 0.2.8. I would take a good patch for most of these if somebody writes one. (If you do, please make the ticket needs_review and move it back into maint-0.2.8 milestone. :) )

comment:3 Changed 8 months ago by nherring

  • Severity set to Blocker

The only caller appears to be in connection_ap_handshake_rewrite_and_attach in src/or/connection_edge.c. That said, I agree that the ".local" domain is context-specific and evaluating that in the context of the relay seems Bad™. I think "local" here is probably correct, it's just not localhost, but rather local-net. Is there anything to really do here?

comment:4 Changed 8 months ago by nickm

  • Severity changed from Blocker to Normal

comment:5 Changed 8 months ago by nickm

I think you may be right. There could be a documentation clarification fix to make here, I guess? What do you think, teor?

comment:6 Changed 8 months ago by teor

  • Keywords doc added

I think we can update the documentation (function header and perhaps man page) to say that tor doesn't connect to '.local' addresses, and call this closed.

comment:7 Changed 6 months ago by teor

  • Milestone changed from Tor: 0.2.??? to Tor: 0.3.???

Milestone renamed

comment:8 Changed 6 months ago by jryans

  • Owner set to jryans
  • Status changed from new to assigned

comment:9 Changed 6 months ago by jryans

  • Status changed from assigned to needs_review

I updated the function header for tor_addr_hostname_is_local and man page entry for ClientRejectInternalAddresses to describe that multicast DNS hostnames for machines on the local network (of the form *.local) are also rejected.

https://github.com/jryans/tor/commits/local-hostname

comment:10 Changed 6 months ago by teor

  • Milestone changed from Tor: 0.3.??? to Tor: 0.2.9.x-final
  • Status changed from needs_review to merge_ready

Looks good!
Sticking this in 0.2.9 because it's a documentation-only change.
(nickm, feel free to disagree.)

comment:11 Changed 6 months ago by nickm

  • Milestone changed from Tor: 0.2.9.x-final to Tor: 0.3.0.x-final
  • Resolution set to fixed
  • Status changed from merge_ready to closed

Taking in 0.3.0; I think 0.2.9 has crossed the point where we should be treating it as "serious issues only". Thanks!

Note: See TracTickets for help on using tickets.