Opened 8 months ago

Last modified 8 months ago

#28706 new defect

Maybe implement resolving destination domain using Tor's RESOLVE and ADDRMAP events

Reported by: juga Owned by:
Priority: Medium Milestone: sbws: unspecified
Component: Core Tor/sbws Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In #28458 the domain of the destination was being resolved locally to check whether and exit policy allows to exit to the IP, which had 2 problems:

  • in the case that the destination is a CDN, the IP resolved locally would be different to the IP resolved by the exit.
  • it was returning the first IP found, without checking whether the scanner supported IPv6.

The correct way would be to resolve the domain via Tor itself using RESOLVE and ADDRMAP events with that exit.
While there are not too many circuits that fails (because the policy doesn't allow to exit to the destination IP), this is not a priority

Child Tickets

Change History (2)

comment:1 Changed 8 months ago by juga

Component: Core Tor/TorCore Tor/sbws

Component is sbws

comment:2 Changed 8 months ago by teor

This change might slow down sbws, because it adds an extra step for each exit connection.
Maybe we should just let tor exits do DNS resolution?

If we do get a lot of failures, we will need to make sure that the failure reason is EXITPOLICY. Otherwise this change won't work.

It might be easier and more reliable to implement #28463, or just use failed exits as entries if their failure rate is too high.

Note: See TracTickets for help on using tickets.