Opened 12 years ago

Closed 5 months ago

#697 closed defect (wontfix)

Wrong DNS configuration could break navigation

Reported by: amis Owned by:
Priority: Low Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: dns tor-relay design-needed
Cc: amis, nickm, arma, Sebastian Actual Points:
Parent ID: Points: 5
Reviewer: Sponsor:

Description (last modified by nickm)

On (add new version on reported version please),


i've received one email who alert me.

One user have received OpenDNS pages when he is using tor.

OpenDNS is a company who resolve DNS for the others giving them filtering, security, ads, but no privacy.

It appears that some nodes resolving DNS seems to have wrong DNS configured, blocking navigation.

If one router making dns resolution is misconfigured it could break navigation of others.

I think a DNS control need probably to be added making theses routers down.

Perhaps using a downloadable list for phishing.

From: d
Date: 2008/6/10 04:22
Subject: Tor exit node policy

I was browsing a phishing site using Tor recently and instead of the phish I saw an OpenDNS warning page (and apparently no way to bypass it). Yours was one of the exit nodes that was part of my Tor connection at the time.

I wasn't able to identify exactly which exit node it was.

Do you have Phish Filtering set up on your exit node, and if so is this a deliberate policy? I work in antiphishing and use Tor for some phish sites.
Thank you,


[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (7)

comment:1 Changed 12 years ago by arma

I think this is ultimately something that Torflow / SoaT should be

Unless you think we should take the more active step of detecting if
we're using opendns's servers in our resolv.conf and then switching our
exit policy to reject *:*? That seems a bit extreme, but if our current
plan is to have SoaT detect it and have the directory authorities mark
it as a BadExit, we might as well take the more direct approach.

comment:2 Changed 12 years ago by nickm

Perhaps we could detect opendns nameservers and warn the relay operator loudly that
they need to take extra care to disable all the dumb opendns breakage in order to
get real DNS.

comment:3 Changed 10 years ago by nickm

Description: modified (diff)
Keywords: dns added
Milestone: post 0.2.1.xTor: unspecified

We already check for DNS hijacking, but not for "I guess you don't really want to visit that site" hijacking. I guess what we'd want here is some kind of map from DNS providers to recommendations about how to tell them to give you the real answers to your questions, plus an alert that you seem to be using such a DNS provider. (We can't just do a test probe, since there is no such thing as an address that will always be a hijacked phishing address.)

Since the original bug was posted, the number of 3rd-party DNS providers that filter their results for anti-phishing purposes has grown. This isn't an small task.

comment:4 Changed 8 years ago by nickm

Keywords: tor-relay added

comment:5 Changed 8 years ago by nickm

Component: Tor RelayTor

comment:6 Changed 3 years ago by nickm

Cc: amis,nickm,arma,Sebastianamis, nickm, arma, Sebastian
Keywords: design-needed added
Points: 5
Severity: Normal

comment:7 Changed 5 months ago by nickm

Resolution: Nonewontfix
Status: newclosed

We've gotten some of this handled through relay education and badexits, and we still check for DNS hijacking. Those are probably the way to go for future developments here.

Note: See TracTickets for help on using tickets.