Changes between Version 6 and Version 7 of doc/TorDNSExitList


Ignore:
Timestamp:
Apr 23, 2010, 4:49:13 AM (9 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorDNSExitList

    v6 v7  
    11= Introduction =
    22
    3 It is useful for a variety of reasons to determine if a connection is coming from a Tor node.  Early attempts to determine if a given IP address was a Tor node used the directory to match IP addresses and exit policies.  This approach had a number of drawbacks, including false negatives when a Tor router exits traffic from a different IP address than its OR port listens on.  A [http://tor.eff.org/svn/trunk/doc/contrib/torel-design.txt A Tor DNS-based Exit List] was designed to overcome these problems and provide a simple interface for answering the question: is this a Tor exit?
     3It is useful for a variety of reasons to determine if a connection is coming from a Tor node.  Early attempts to determine if a given IP address was a Tor exit used the directory to match IP addresses and exit policies.  This approach had a number of drawbacks, including false negatives when a Tor router exits traffic from a different IP address than its OR port listens on.  The [http://tor.eff.org/svn/trunk/doc/contrib/torel-design.txt Tor DNS-based Exit List] was designed to overcome these problems and provide a simple interface for answering the question: is this a Tor exit?
    44
    55= Implementation =
    66
    77An implementation of the Tor DNS Exit List has been completed at [http://exitlist.torproject.org/ exitlist.torproject.org].  DNS queries are answered via this host in the manner described in the design document.  The exit nodes are tested regularly to avoid the false negatives when inspecting the directory entries alone.
     8
     9A web front end for this service is available at [http://check.torproject.org/ check.torproject.org].
    810
    911= Examples =
     
    2426
    2527function revaddr ($ip) {
    26   list($a, $b, $c, $d) = split ("[.]", $ip);
    27   return ("${d}.${c}.${b}.${a}");
     28  list($a, $b, $c, $d) = split("[.]", $ip);
     29  return("${d}.${c}.${b}.${a}");
    2830}
    2931
     
    3638function torel_check ($ip, $port, $destip) {
    3739  $ndr = new Net_DNS_Resolver();
    38   $qh = torel_qh ($ip, $port, $destip);
     40  $qh = torel_qh($ip, $port, $destip);
    3941
    4042  // uncomment these two lines to query the server directly...
     
    4850
    4951  // perform DNS query
    50   if (! $pkt = $ndr->search ($qh)) {
     52  if (! $pkt = $ndr->search($qh)) {
    5153    if (strcmp($ndr->errorstring, "NXDOMAIN") == 0) {
    5254      // response but no answer.  does not appear to be Tor exit.
     
    5456    }
    5557    // search failed: no response or other problem...
    56     return (-1);
     58    return(-1);
    5759  }
    58   if (! isset ($pkt->answer[0])) {
     60  if (! isset($pkt->answer[0])) {
    5961    // response but no answer section.  does not appear to be Tor exit.
    6062    // (this should only happen when authority sections are provided without answer)
    61     return (0);
     63    return(0);
    6264  }
    6365  // is Tor exit
    64   return (1);
     66  return(1);
    6567}
    6668
     
    7173if (isset ($_SERVER["SERVER_PORT"])) { $myport = $_SERVER["SERVER_PORT"]; }
    7274
    73 $istor = torel_check ($ip, $myport, $myip);
     75$istor = torel_check($ip, $myport, $myip);
    7476
    7577// use $istor as needed for altering page behavior:
     
    8587}}}
    8688
    87 An example implementation of this interface is available at [http://peertech.org/torel/ peertech.org/torel/].
     89
     90== Perl Net::DNS ==
     91
     92You will need the [http://www.net-dns.org/ Net::DNS module] and its dependencies for this to work properly.
     93{{{
     94#!/usr/local/bin/perl
     95
     96use strict;
     97use warnings;
     98
     99# query_exitlist($srcip, $dstip, $dstport) queries the Tor DNS Exit List server.
     100#   The result of the query is one of the following:
     101#     undef : DNS lookup failed or an unexpected response was received.
     102#         0 : $srcip does not appear to be a Tor exit.
     103#         1 : $srcip is a known Tor exit for the provided destination IP / port.
     104
     105use Getopt::Long;
     106use Net::DNS::Resolver;
     107
     108# Construct a DNSEL query from a source address and destination address/port.
     109# IP addresses should be in dotted-decimal notation.
     110sub build_query {
     111  my ($srcip, $dstip, $dstport) = @_;
     112
     113  # reverse address octets
     114  ($srcip, $dstip) = map { join '.', reverse split /\./ } $srcip, $dstip;
     115
     116  "$srcip.$dstport.$dstip.ip-port.exitlist.torproject.org.";
     117}
     118
     119sub query_exitlist {
     120  my ($srcip, $dstip, $dstport) = @_;
     121
     122  my $res = Net::DNS::Resolver->new;
     123
     124  # uncomment this line to query the server directly...
     125  #$res->nameservers("exitlist-ns.torproject.org");
     126
     127  # tune DNS params accordingly.  this is just my preference.
     128  $res->retrans(2);
     129  $res->retry(3);
     130  $res->usevc(0);
     131
     132  # perform DNS query
     133  if (defined(my $pkt = $res->send(build_query $srcip, $dstip, $dstport))) {
     134    if (grep $_->type eq 'A', $pkt->answer) {
     135      # an A record was returned: this is a Tor exit node
     136      return 1;
     137    } elsif ($pkt->header->rcode eq 'NXDOMAIN') {
     138      # NXDOMAIN: this is not a Tor exit node
     139      return 0;
     140    }
     141  }
     142
     143  # the DNS query failed or something unexpected was returned
     144  return undef;
     145}
     146
     147# defaults, get options...
     148my $srcip = "82.227.101.236";
     149my $dstip = "1.2.3.4";
     150my $dstport = 80;
     151my $pstatus = GetOptions(
     152 "srcip=s"   => \$srcip,
     153 "dstip=s"   => \$dstip,
     154 "dstport=i" => \$dstport
     155);
     156
     157$| = 1;
     158# perform the lookup...
     159print "Querying Tor DNS Exit List for IP $srcip to destination $dstip at port $dstport ... ";
     160my $result = query_exitlist $srcip, $dstip, $dstport;
     161print "Done.\n";
     162
     163if ($result) {
     164  print "$srcip is a known Tor exit to $dstip at port $dstport.\n";
     165} elsif (defined $result) {
     166  print "$srcip does not appear to be a Tor exit.\n";
     167} else {
     168  print "DNS query failed or an unexpected DNS response was received.\n";
     169  exit 1;
     170}
     171}}}
     172
     173Invocation:
     174{{{
     175# using defaults
     176torelcheck.pl
     177Querying Tor DNS Exit List for IP 82.227.101.236 to destination 1.2.3.4 at port 80 ... Done.
     17882.227.101.236 is a known Tor exit to 1.2.3.4 at port 80.
     179
     180# using explicit check
     181torelcheck.pl --srcip 71.111.92.174 --dstip 66.135.40.74 --dstport 80
     182Querying Tor DNS Exit List for IP 71.111.92.174 to destination 66.135.40.74 at port 80 ... Done.
     18371.111.92.174 does not appear to be a Tor exit.
     184}}}
    88185
    89186== Dig command line ==