Opened 9 years ago

Closed 9 years ago

Last modified 8 years ago

#2765 closed defect (invalid)

Wrong source port for dns replies when query is sent to an alias interface

Reported by: soma Owned by:
Priority: Medium Milestone: Tor: 0.2.2.x-final
Component: Core Tor/Tor Version: Tor:
Severity: Keywords: alias dns dnsport source tor-client
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


I just found a bug with the internal tor dns server. It seems to be present in (on openwrt) as well as on (debian squeeze).

PC A - this is where tor runs with a minimal default config:

SocksPort 9050
DNSPort 9053

There are two ips setup on eth0


inet brd scope global eth0
inet scope global eth0

And port 53 is redirected to 9053:

iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 9053

PC B - The client, has also two IPs assigned.


inet brd scope global br0
inet scope global br0

from the client i did nslookups on the PC1 to the two different IPs:

$ nslookup
Non-authoritative answer:

$ nslookup
;; reply from unexpected source:, expected

So its quite clear, tor sends from the wrong source port when i ask for dns-lookup on the alias ip, which can also be seen in the tcpdump output:

05:16:30.689341 IP > 39142+ A? (26)
05:16:30.689874 IP > 39142 1/0/0 A (42)
05:16:45.430093 IP > 16078+ A? (26)
05:16:45.430513 IP > UDP, length 42

Child Tickets

Change History (4)

comment:1 Changed 9 years ago by nickm

Component: - Select a componentTor Client
Milestone: Tor: 0.2.2.x-final

comment:2 Changed 9 years ago by rransom

Resolution: invalid
Status: newclosed

That's a problem with your iptables configuration, not with Tor. Even if Tor could know that your DNS client will only accept a reply from port 53, Tor has no way to send a reply from that port.

Set your DNSPort to 53, start Tor as root, and use the User torrc option to make Tor drop privileges after it has opened the sockets it needs.

comment:3 Changed 8 years ago by nickm

Keywords: tor-client added

comment:4 Changed 8 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.