Opened 5 years ago

Last modified 22 months ago

#9998 new enhancement

resolve "localhost", "host", "hostname" and "host.localdomain" to 127.0.0.1

Reported by: proper Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-client, dns, naming, hosts, easy needs-analysis
Cc: proper Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I would be useful, if Tor would resolve:

  • localhost
  • host
  • hostname
  • host.localdomain

to 127.0.0.1.

For example, webhttrac wants to open http://host:8080/. Why not resolve host to 127.0.0.1? There are also other web interfaces (i2p, yacy, etc.) which may use http://localhost:someport/ etc.

At least Tails and Whonix reached consensus using "host" as hostname (and so forth).

Unless you're seeing any security issues with that, of course.

Child Tickets

Change History (10)

comment:1 Changed 5 years ago by nickm

Keywords: tor-relay added

Did you mean for this to happen on the exit node, or elsewhere?

The problem with doing this as the exit node is that there are programs out there that assume that any connection coming from 127.0.0.1 is coming from the local computer, and use that as a kind of rudimentary access control. They assume that connections from 127.0.0.1 are more privileged than those from other IPs. That's why Tor exit nodes block 127.0.0.1 by default, as well as all connections to RFC 1918 networks (and some others).

Can you explain more about the use case here? With this change, what could a user or admin do that would be hard for them to do today?

comment:2 Changed 5 years ago by proper

Did you mean for this to happen on the exit node, or elsewhere?

Not in the exit node. In the code for before DNS resolution. As soon as Tor gets asked "what is the IP of the localhost dns name", reply "127.0.0.1". Not touching any networks.

So if DNS = localhost/hostname/[...] then "instantly reply IP 127.0.0.1" else do what you currently do to use Tor exit's to resolve DNS.

Can you explain more about the use case here?

If you are using Tor as your default system DNS resolver, i.e. Whonix users, Tails users, transparent proxy users, users who made TBB their default browser... When you install for example webhttrack, it installs a start menu entry. Once that start menu entry gets started it instructions the system "use the system's default browser and open http://host:8080/".

This will fail when Tor is used as DNS resolver, because Tor does not know how to resolve "localhost".

But resolving "localhost" would be simple in principle, just resolve it to 127.0.0.1. (Not sure if simple to code.)

Other examples include when you install a webserver (for hidden service). Some instructions recommend to test it using http://localhost. Visiting http://localhost won't work in Tor Browser, because Tor does not know how to resolve localhost. Would be nicer if it would tell Firefox to visit 127.0.0.1 instead.

With this change, what could a user or admin do that would be hard for them to do today?

It probably isn't that hard to figure out, that Tor doesn't know how to resolve "localhost" and correcting those url's manually. Not having this feature is only a minor disadvantage.

If Tor is capable to be a (system) DNS resolver, shouldn't it be as smart as resolving "localhost" to "127.0.0.1"?

comment:3 Changed 5 years ago by nickm

Keywords: tor-client needs-proposal added; tor-relay removed

Ah, that does sound like a good idea. You could do it with a general hosts file mechanism in the dns client code.

I do worry a bit about cross-site attacks here; do we have somebody with the appropriate expertise that can help us figure those out? In particular, the "visit http://localhost/" thing makes me a bit nervous that there could be somebody using a Tor-enabled web browser to see whether localhost is running a web server, or something like that.

comment:4 Changed 5 years ago by proper

Thank you for considering and liking my idea.

No idea about the security side. Do you think it's a good idea to cc Mike Perry and Robert Ransom? They're two first two ones coming to my mind who could know the answer.

comment:5 Changed 5 years ago by nickm

Milestone: Tor: 0.2.5.x-finalTor: 0.2.???

comment:6 Changed 5 years ago by proper

Note for me: contacted Mike and Robert by e-mail and asked if they could have a look at this ticket.

comment:7 Changed 2 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:8 Changed 2 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:9 Changed 22 months ago by nickm

Keywords: tor-03-unspecified-201612 removed

Remove an old triaging keyword.

comment:10 Changed 22 months ago by nickm

Keywords: dns naming hosts easy needs-analysis added; needs-proposal removed
Severity: Normal
Note: See TracTickets for help on using tickets.