Opened 8 years ago

Last modified 8 months ago

#6228 new enhancement

NSS module for .onion DNS name resolution

Reported by: tux Owned by:
Priority: Low Milestone:
Component: Core Tor/Torsocks Version:
Severity: Normal Keywords: nss dns usability onion tor-hs
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


From a usability point of view it'd be great to always have .onion addresses resolved via Tor - system wide, by default. It'd make .onion addresses a first-class citizen in the overall web browsing experience.

The idea is to provide a libnss-tor module to by default always resolve .onion addresses via Tor, with no need for 'torify', proxy configurations within an application etc. Similar to what libnss-mdns does for .local addresses for instance.

Thanks to this I came up with the following setup to achieve the same thing:

  • torrc with 'AutomapHostsOnResolve 1', 'DNSPort 53535' and 'TransPort 9040'
  • dnsmasq with a 'server=/onion/'
  • iptables -t nat -A OUTPUT -p tcp -d -j REDIRECT --to-ports 9040
  • 'nameserver' in /etc/resolv.conf

However having a libnss-tor for that would remove the iptables/dnsmasq part, which should make it way more convinient for most people. It'd also make the mapaddress option in the torrc obsolete, I think.

Further things to consider:

  • Security implications?
  • Does something like libnss exist for other operating systems, too?

Child Tickets

Change History (8)

comment:1 Changed 8 years ago by ioerror

I've tossed this around for a while in various forms. tor-resolve basically does this job if it has automaphosts enabled, I think. One major problem is that once the IP is resolved and mapped to say, - what happens?

comment:2 Changed 8 years ago by nickm

Milestone: Tor: unspecified

comment:3 Changed 8 years ago by nickm

Keywords: tor-hs added

comment:4 Changed 8 years ago by nickm

Component: Tor Hidden ServicesTor

comment:5 Changed 3 years ago by nickm

Component: Core Tor/TorCore Tor/Torsocks
Owner: set to dgoulet
Severity: Normal

I think this is a neat idea, but it's more of a new-project thing than a Tor issue: this would be a libnss module enhancement or maybe a tor, not a new part of Tor. Or maybe it would fit into torsocks? Throwing it over there.

comment:6 Changed 17 months ago by gaba

Owner: dgoulet deleted
Status: newassigned

Releasing some old tickets.

comment:7 Changed 16 months ago by teor

Milestone: Tor: unspecified

comment:8 Changed 8 months ago by teor

Status: assignednew

Change tickets that are assigned to nobody to "new".

Note: See TracTickets for help on using tickets.