Opened 4 months ago

Last modified 4 months ago

#30796 new defect

ClientDNSRejectInternalAddresses inteferes with ClientRejectInternalAddresses=1

Reported by: smherwig Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.4.0.5
Severity: Normal Keywords: ClientDNSRejectInternalAddresses, ClientRejectInternalAddresses
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I'm using tor-0.4.05.

In the onion proxy's torcc, I set

ClientRejectInternalAddresses 0
MapAddress 127.0.0.1 127.0.0.1.FINGERPRINT.exit
MapAddress localhost localhost.FINGERPRINT.exit
UseMicrodescriptors 0

and on my exit node:

ExitRelay 1
ExitRelayRejectPrivate 0
ExitPolicy accept private:8080-8090
ExitPolicy reject *:*

If I then issue a request through the OP to get a page served by a webserver running locally on the exit node

curl --socks4 127.0.0.1:9050 http://127.0.0.1:8080/index.html

the OP's socks server says the connection is not permitted. Specifically, core/or/relay.c:1347 denies the connection and logs "connection_edge_process_relay_cell_not_open(0: ...but it claims the IP address was 127.0.0.1".

Also not that per the tor.1 manpage, and more specifically, enforced in app/config/config.c:4420, ClientDNSRejectInternalAddresses cannot be set to 0 when using the production Tor network.

In other words, the enforcement of ClientDNSRejectInternalAddresses is being applied when no DNS request is actually made, and, moreover, interferes with the ClientRejectInternalAddresses and MapAddress configuration.

Child Tickets

Change History (1)

comment:1 Changed 4 months ago by teor

Component: Core TorCore Tor/Tor
Milestone: Tor: unspecified

Hi, can you tell us if this is a new bug in tor 0.4.0.5?
Does it also happen in tor 0.2.9, our earliest supported version?

Note: See TracTickets for help on using tickets.