Opened 6 months ago

Last modified 5 months ago

#34135 new enhancement

Feature suggestion: SOCKS5 internal DNS resolver.

Reported by: pcr Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

There are many programs that forward DNS request over SOCKS5 proxies, to work with tor the most of them send the queries in TCP format.

But they cannot use the DNS of Tor relays, they can only send to an external DNS server, so disabling access to .onion sites.

That's why a virtual DNS server in the TOR SOCKS5 server would be useful, so these programs can use relays DNS and handle .onion queries.

Another case are transparent forwarders that use a upstream SOCKS5 address, DNS should be provided by a kind of program like above or a DNS over TCP scheme (available in the Linux GLIBC since 2015, see https://web.archive.org/web/20150518063349/http://man7.org:80/linux/man-pages/man5/resolv.conf.5.html).

By adding the option "use-vc" in the Linux /etc/resolv.conf file, DNS queries can be done over the transparent proxy using external DNS servers, BUT NOT DNS of Tor relays and it cannot resolves .onion sites.

For these cases a virtual DNS resolver in the TOR SOCKS port would be useful, it can be only TCP (not UDP).

This is for DNS forwarders that use SOCKS proxies, and provide DNS in TCP mode to environments over transparent proxies.

The virtual addresses could be 224.0.0.1 for IPv4 and [2001:db8::1] for IPv6.

Child Tickets

Change History (4)

comment:1 Changed 6 months ago by cypherpunks

why don't use existing DNSPort? it supports both udp query
and onion virtual address mapped responses

comment:2 Changed 6 months ago by pcr

This option would be useful for containers and Docker.

A SOCKS5 unix socket could be created by Tor, converted in a listening port by a port forwarder (HAProxy or Pen) and so could provide DNS to the container with a SOCKS5 DNS Forwarder.

comment:3 Changed 6 months ago by ϲypherpunks

Did you try this #34004 dnsresolver patch?

comment:4 Changed 5 months ago by anarcat

Component: Internal ServicesCore Tor/Tor

not sure where this belongs but i assume it's not for the sysadmin team.

Note: See TracTickets for help on using tickets.