Opened 9 years ago

Closed 9 years ago

Last modified 7 years ago

#2765 closed defect (invalid)

Wrong source port for dns replies when query is sent to an alias interface

Reported by: soma Owned by:
Priority: Medium Milestone: Tor: 0.2.2.x-final
Component: Core Tor/Tor Version: Tor: 0.2.2.22-alpha
Severity: Keywords: alias dns dnsport source tor-client
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I just found a bug with the internal tor dns server. It seems to be present in 0.2.2.22-alpha (on openwrt) as well as on 0.2.1.29 (debian squeeze).

PC A - this is where tor runs with a minimal default config:

SocksPort 9050
SocksListenAddress 127.0.0.1
DNSPort 9053
DNSListenAddress 0.0.0.0

There are two ips setup on eth0

eth0:

inet 192.168.0.135/24 brd 192.168.0.255 scope global eth0
inet 192.168.22.1/24 scope global eth0

And port 53 is redirected to 9053:

iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 9053

PC B - The client, has also two IPs assigned.

br0:

inet 192.168.0.30/24 brd 192.168.0.255 scope global br0
inet 192.168.22.2/24 scope global br0

from the client i did nslookups on the PC1 to the two different IPs:

$ nslookup heise.de 192.168.0.135
Server: 192.168.0.135
Address: 192.168.0.135#53
Non-authoritative answer:
Name: heise.de
Address: 193.99.144.80

$ nslookup heise.de 192.168.22.1
;; reply from unexpected source: 192.168.22.1#9053, expected 192.168.22.1#53

So its quite clear, tor sends from the wrong source port when i ask for dns-lookup on the alias ip, which can also be seen in the tcpdump output:

05:16:30.689341 IP 192.168.0.30.51175 > 192.168.0.135.53: 39142+ A? heise.de. (26)
05:16:30.689874 IP 192.168.0.135.53 > 192.168.0.30.51175: 39142 1/0/0 A 193.99.144.80 (42)
05:16:45.430093 IP 192.168.22.2.51321 > 192.168.22.1.53: 16078+ A? heise.de. (26)
05:16:45.430513 IP 192.168.22.1.9053 > 192.168.22.2.51321: UDP, length 42

Child Tickets

Change History (4)

comment:1 Changed 9 years ago by nickm

Component: - Select a componentTor Client
Milestone: Tor: 0.2.2.x-final

comment:2 Changed 9 years ago by rransom

Resolution: invalid
Status: newclosed

That's a problem with your iptables configuration, not with Tor. Even if Tor could know that your DNS client will only accept a reply from port 53, Tor has no way to send a reply from that port.

Set your DNSPort to 53, start Tor as root, and use the User torrc option to make Tor drop privileges after it has opened the sockets it needs.

comment:3 Changed 7 years ago by nickm

Keywords: tor-client added

comment:4 Changed 7 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.