Opened 7 years ago

Last modified 12 months ago

#5751 new project

Standardize SOCKS extensions to support proxied DNS queries

Reported by: rransom Owned by:
Priority: Medium Milestone:
Component: Company Version:
Severity: Normal Keywords:
Cc: nickm, nord-stream@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Tor supports anonymous DNS resolution through its SocksPort, but no application (except the tor-resolve utility shipped with Tor) uses that feature, probably because it's not an IETF standard. Perhaps that should be changed.

This will probably involve designing a new DNS-resolution SOCKS command and implementing it in Tor; Tor's current SOCKS commands are not likely to be accepted as a standard (even if they're renumbered) because they do not support most of DNS's new and interesting features.

Child Tickets

Change History (5)

comment:1 Changed 7 years ago by nickm

Interesting idea. What working group has SOCKS under its purview?

One other possibility is that this will be attacked, on the theory that "that's not what SOCKS is for". So we'll need to make the argument that proxying a DNS request is something that SOCKS ought to be handling.

You're right about how we'll get opposed because our current thing doesn't support all of DNS. One challenge there is that if we support all of DNS, we might as well just open a DNS port. If we do all of DNS over socks, applications would need to implement their own DNS resolvers, and DNS is an annoyingly easy format to get wrong.

So IMO we'll need to make a case that something less than full DNS is useful and necessary here.

comment:2 in reply to:  1 Changed 7 years ago by rransom

Owner: phobos deleted
Status: newassigned

Replying to nickm:

Interesting idea. What working group has SOCKS under its purview?

I have no idea. There may not be one currently.

One other possibility is that this will be attacked, on the theory that "that's not what SOCKS is for". So we'll need to make the argument that proxying a DNS request is something that SOCKS ought to be handling.

Local SOCKS proxies have become a popular way to direct an application's outgoing connections through another computer without altering system-wide network configuration. Some applications (such as XMPP clients) need to perform custom DNS queries before they can decide what address and/or port to connect to. If the local computer's DNS resolver is misconfigured or broken, applications should be able to ask a proxy to handle DNS queries for them.

(And I've already given an example that Tor doesn't support yet...)

Some applications need to find out what IP address their proxy will connect them to when given a particular hostname.

You're right about how we'll get opposed because our current thing doesn't support all of DNS. One challenge there is that if we support all of DNS, we might as well just open a DNS port. If we do all of DNS over socks, applications would need to implement their own DNS resolvers, and DNS is an annoyingly easy format to get wrong.

Even if Tor supports all of DNS over SOCKS, that's better for XMPP clients and web browsers that are configured to use Tor as their SOCKS proxy than a separate DNS port (which would need to be configured as the system resolver in order to make applications use it).

I don't know which DNS queries (or replies) would be most useful in a DNS subset yet.

comment:3 Changed 2 years ago by nord-stream

Cc: nord-stream@… added
Severity: Blocker

comment:4 Changed 2 years ago by nord-stream

Severity: BlockerNormal

comment:5 Changed 12 months ago by teor

Status: assignednew

Mark all tickets that are assigned to nobody as "new".

Note: See TracTickets for help on using tickets.