Opened 21 months ago

Last modified 4 weeks ago

#24833 new enhancement

DNS not reliably returning AAAA records

Reported by: Zakhar Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.2.9.14
Severity: Normal Keywords: ipv6, tor-client, tor-exit, tor-dns, 034-triage-20180328, 034-removed-20180328
Cc: cypherpunks Actual Points:
Parent ID: #26664 Points:
Reviewer: Sponsor:

Description

[Enhancement Request]

(Cleaner explanation than closed ticket #24798)

I have a Tor Router set with dual stack.
DNS is done in ipv4 through (it should not matter since an ipv4 DNS can still respond to AAAA queries)

I can't find a setting to make DNS reliably returning AAAA records: it is sort of "random", probably depending on the exit node.

$ uname -a
Linux user-pc 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$ tor --version
Tor version 0.2.9.11 (git-aa8950022562be76).

(I will test 0.3.1, as recommended, next week when we have Bionic Beaver Alpha 1... to avoid having to compile with Ubuntu chaintool I'm not so familiar with... and because it has dependencies that are not in 16.04 -already tried!)

Here is the relevant tor snippet

$ head /etc/tor/torrc

DNSPort 172.16.0.1:9053 IPv6Traffic
TransPort 172.16.0.1:9040
TransPort [fe80::10%vnet0]:9040
ClientUseIPv6 1
ClientPreferIPv6ORPort 1
ClientPreferIPv6DirPort 1

Here is what I get from a machine connected to the router:

$ curl 'http://ipv4.whatismyip.akamai.com'; echo; curl -g -H 'Host: ifconfig.co' http://[2001:470:28:840::cafe:d00d]; echo "dig"; dig ifconfig.co A ifconfig.co AAAA +short;
46.182.19.15
2607:5300:120:312::1:1
dig
188.113.88.193

$ !!
199.87.154.255
2a00:fc00:e000:b001::f4ee
dig
188.113.88.193

$ !!
5.254.112.154
2620:18c:0:1001::102
dig
188.113.88.193
2001:470:28:840::cafe:d00d

$ !!
197.231.221.211
2620:18c:0:1001::102
dig
188.113.88.193

$ !!
192.42.116.16
2604:8b40:1:3::1
dig
188.113.88.193

$ !!
185.220.101.16
2a03:f85:8::7
dig
188.113.88.193
2001:470:28:840::cafe:d00d

(changing exit between each repetition with a NEWNYM command)

So, as you can see, both the ipv4 an the ipv6 stack work (first 2 curls of the command line), no issue with that fortunately!

For ipv6 I have to force the ipv6 address since the DNS query not always returns AAAA responses.

Depending on the exit host, we get AAAA responses... or not!

Question: how to make AAAA responses reliable?

P.S.: from teor's response in my initial ill-worded ticket, I don't think it is relevant to add 'IPv6Traffic' to TransPort. Indeed, when you bind the TransPort to an ipv4 address you can't sen ipv6 there, and when you bind to an ipv6 address, it is already for ipv6.
Even more, you can't do that: tor-0.2.9 rightfully complaining when you add that to TransPort, whereas it is pleased (but has no effect!) when you specify the option for DNSPort

P.S.2: You might have noticed the [fe80::10%vnet0] in my torrc, this is not a bug, I am using my patched version that accepts binding to link-local ipv6 addresses. #23819

Child Tickets

Change History (14)

comment:1 Changed 21 months ago by Zakhar

Addition:

DNS over ipv6 reliably returns both A and AAAA records:

$ head /etc/tor/torrc
DNSPort [fe80::10%vnet0]:9053
TransPort [fe80::10%vnet0]:9040

(the rest is identical)

$ curl -g -H 'Host: ifconfig.co' http://[2001:470:28:840::cafe:d00d]; echo "dig"; dig ifconfig.co A ifconfig.co AAAA +short;
2a02:c207:3002:267::1
dig
188.113.88.193
2001:470:28:840::cafe:d00d

$ !!
2001:67c:2608::1
dig
188.113.88.193
2001:470:28:840::cafe:d00d

$ !!
2a00:1dc0:caff:8b::5b9a
dig
188.113.88.193
2001:470:28:840::cafe:d00d

$ !!
ifconfig.co AAAA +short;
2001:bc8:4700:2300::1:a07
dig
188.113.88.193
2001:470:28:840::cafe:d00d

... of course the command does not show our external ipv4 address since we don't have the ipv4 stack anymore.

Unfortunately, the workaround to run DNS over ipv6 in my dual stack is not possible right now due to some limitations in my configuration tools... because indeed that would make things more reliable!

I have also noticed that DNS over ipv6 with tor seems faster... probably it is select newer/faster exit nodes!

Version 0, edited 21 months ago by Zakhar (next)

comment:2 Changed 21 months ago by nickm

Milestone: Tor: 0.3.4.x-final

comment:3 Changed 21 months ago by nickm

Component: - Select a componentCore Tor/Tor

comment:4 Changed 21 months ago by teor

Keywords: ipv6 tor-client tor-exit tor-dns added; DNS AAAA removed
Parent ID: #21311

This could be a duplicate of #21311: we need to find out if the exits that don't return IPv6 addresses:

  • have a DNS server that fails to return AAAA records,
  • fail to ask for AAAA records, or
  • fail to return AAAA records to clients.

comment:5 Changed 21 months ago by Zakhar

Yes, it is possibly a duplicate, although this does not "ask as much". #21311: asks for AAAA always.

It could be perfectly reasonable to have "optimizations" so that when an exit knows a client will never need ipv6, not to return any AAAA records.

But when the client configured it's torrc like that:

DNSPort 172.16.0.1:9053 IPv6Traffic
TransPort [fe80::10%vnet0]:9040
ClientUseIPv6 1

... the exit nodes should avoid optimizing out AAAA, because it becomes quite obvious the client intends to use ipv6 at some point in time!

But since this does not ask as much as #21311, "Mark as duplicate" is fine with me since solving #21311 will close that ticket too.

comment:6 Changed 20 months ago by cypherpunks

Parent ID: #21311#24968

comment:7 Changed 20 months ago by teor

Parent ID: #24968

comment:8 Changed 18 months ago by nickm

Keywords: 034-triage-20180328 added

comment:9 Changed 18 months ago by nickm

Keywords: 034-removed-20180328 added

Per our triage process, these tickets are pending removal from 0.3.4.

comment:10 Changed 18 months ago by nickm

Milestone: Tor: 0.3.4.x-finalTor: unspecified

These tickets, tagged with 034-removed-*, are no longer in-scope for 0.3.4. We can reconsider any of them, if time permits.

comment:11 Changed 6 months ago by cypherpunks

Cc: cypherpunks added

comment:12 Changed 6 months ago by cypherpunks

AAAA results is still unreliable for dualstack domains.

comment:13 Changed 3 months ago by cypherpunks

it is still an issue since AAAA are supported. many exits give you nxdomain by mistake

comment:14 Changed 4 weeks ago by teor

Parent ID: #26664
Note: See TracTickets for help on using tickets.