Changes between Version 8 and Version 9 of doc/TorDNSExitList


Ignore:
Timestamp:
Apr 23, 2010, 4:49:13 AM (9 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorDNSExitList

    v8 v9  
    11= Introduction =
    22
    3 It is useful for a variety of reasons to determine if a connection is coming from a Tor node.  Early attempts to determine if a given IP address was a Tor exit used the directory to match IP addresses and exit policies.  This approach had a number of drawbacks, including false negatives when a Tor router exits traffic from a different IP address than its OR port listens on.  The [https://www.torproject.org/svn/trunk/doc/contrib/torel-design.txt Tor DNS-based Exit List] was designed to overcome these problems and provide a simple interface for answering the question: is this a Tor exit?
     3It is useful for a variety of reasons to determine if a connection is coming from a Tor node.  Early attempts to determine if a given IP address was a Tor exit used the directory to match IP addresses and exit policies.  This approach had a number of drawbacks, including false negatives when a Tor router exits traffic from a different IP address than its OR port listens on.  The [http://tor.eff.org/svn/trunk/doc/contrib/torel-design.txt Tor DNS-based Exit List] was designed to overcome these problems and provide a simple interface for answering the question: is this a Tor exit?
    44
    55= Implementation =
    66
    77An implementation of the Tor DNS Exit List has been completed at [http://exitlist.torproject.org/ exitlist.torproject.org].  DNS queries are answered via this host in the manner described in the design document.  The exit nodes are tested regularly to avoid the false negatives when inspecting the directory entries alone.
    8 
    9 A web front end for this service is available at [http://check.torproject.org/ check.torproject.org].
    10 
    11 Sources for the tordnsel are available at [http://p56soo2ibjkx23xo.onion/darcs/tordnsel p56soo2ibjkx23xo.onion/darcs/tordnsel].  You can sync with the following commands through an http proxy at port 8118 forwarding to Tor:
    12 {{{
    13 env http_proxy=http://127.0.0.1:8118/
    14 darcs get http://p56soo2ibjkx23xo.onion/darcs/tordnsel
    15 }}}
    16 
    178
    189= Examples =
     
    3324
    3425function revaddr ($ip) {
    35   list($a, $b, $c, $d) = split("[.]", $ip);
    36   return("${d}.${c}.${b}.${a}");
     26  list($a, $b, $c, $d) = split ("[.]", $ip);
     27  return ("${d}.${c}.${b}.${a}");
    3728}
    3829
     
    4536function torel_check ($ip, $port, $destip) {
    4637  $ndr = new Net_DNS_Resolver();
    47   $qh = torel_qh($ip, $port, $destip);
     38  $qh = torel_qh ($ip, $port, $destip);
    4839
    4940  // uncomment these two lines to query the server directly...
     
    5748
    5849  // perform DNS query
    59   if (! $pkt = $ndr->search($qh)) {
     50  if (! $pkt = $ndr->search ($qh)) {
    6051    if (strcmp($ndr->errorstring, "NXDOMAIN") == 0) {
    6152      // response but no answer.  does not appear to be Tor exit.
     
    6354    }
    6455    // search failed: no response or other problem...
    65     return(-1);
     56    return (-1);
    6657  }
    67   if (! isset($pkt->answer[0])) {
     58  if (! isset ($pkt->answer[0])) {
    6859    // response but no answer section.  does not appear to be Tor exit.
    6960    // (this should only happen when authority sections are provided without answer)
    70     return(0);
     61    return (0);
    7162  }
    7263  // is Tor exit
    73   return(1);
     64  return (1);
    7465}
    7566
     
    8071if (isset ($_SERVER["SERVER_PORT"])) { $myport = $_SERVER["SERVER_PORT"]; }
    8172
    82 $istor = torel_check($ip, $myport, $myip);
     73$istor = torel_check ($ip, $myport, $myip);
    8374
    8475// use $istor as needed for altering page behavior:
     
    9485}}}
    9586
    96 
    97 == Perl Net::DNS ==
    98 
    99 You will need the [http://www.net-dns.org/ Net::DNS module] and its dependencies for this to work properly.
    100 {{{
    101 #!/usr/local/bin/perl
    102 
    103 use strict;
    104 use warnings;
    105 
    106 # query_exitlist($srcip, $dstip, $dstport) queries the Tor DNS Exit List server.
    107 #   The result of the query is one of the following:
    108 #     undef : DNS lookup failed or an unexpected response was received.
    109 #         0 : $srcip does not appear to be a Tor exit.
    110 #         1 : $srcip is a known Tor exit for the provided destination IP / port.
    111 
    112 use Getopt::Long;
    113 use Net::DNS::Resolver;
    114 
    115 # Construct a DNSEL query from a source address and destination address/port.
    116 # IP addresses should be in dotted-decimal notation.
    117 sub build_query {
    118   my ($srcip, $dstip, $dstport) = @_;
    119 
    120   # reverse address octets
    121   ($srcip, $dstip) = map { join '.', reverse split /\./ } $srcip, $dstip;
    122 
    123   "$srcip.$dstport.$dstip.ip-port.exitlist.torproject.org.";
    124 }
    125 
    126 sub query_exitlist {
    127   my ($srcip, $dstip, $dstport) = @_;
    128 
    129   my $res = Net::DNS::Resolver->new;
    130 
    131   # uncomment this line to query the server directly...
    132   #$res->nameservers("exitlist-ns.torproject.org");
    133 
    134   # tune DNS params accordingly.  this is just my preference.
    135   $res->retrans(2);
    136   $res->retry(3);
    137   $res->usevc(0);
    138 
    139   # perform DNS query
    140   if (defined(my $pkt = $res->send(build_query $srcip, $dstip, $dstport))) {
    141     if (grep $_->type eq 'A', $pkt->answer) {
    142       # an A record was returned: this is a Tor exit node
    143       return 1;
    144     } elsif ($pkt->header->rcode eq 'NXDOMAIN') {
    145       # NXDOMAIN: this is not a Tor exit node
    146       return 0;
    147     }
    148   }
    149 
    150   # the DNS query failed or something unexpected was returned
    151   return undef;
    152 }
    153 
    154 # defaults, get options...
    155 my $srcip = "82.227.101.236";
    156 my $dstip = "1.2.3.4";
    157 my $dstport = 80;
    158 my $pstatus = GetOptions(
    159  "srcip=s"   => \$srcip,
    160  "dstip=s"   => \$dstip,
    161  "dstport=i" => \$dstport
    162 );
    163 
    164 $| = 1;
    165 # perform the lookup...
    166 print "Querying Tor DNS Exit List for IP $srcip to destination $dstip at port $dstport ... ";
    167 my $result = query_exitlist $srcip, $dstip, $dstport;
    168 print "Done.\n";
    169 
    170 if ($result) {
    171   print "$srcip is a known Tor exit to $dstip at port $dstport.\n";
    172 } elsif (defined $result) {
    173   print "$srcip does not appear to be a Tor exit.\n";
    174 } else {
    175   print "DNS query failed or an unexpected DNS response was received.\n";
    176   exit 1;
    177 }
    178 }}}
    179 
    180 Invocation:
    181 {{{
    182 # using defaults
    183 torelcheck.pl
    184 Querying Tor DNS Exit List for IP 82.227.101.236 to destination 1.2.3.4 at port 80 ... Done.
    185 82.227.101.236 is a known Tor exit to 1.2.3.4 at port 80.
    186 
    187 # using explicit check
    188 torelcheck.pl --srcip 71.111.92.174 --dstip 66.135.40.74 --dstport 80
    189 Querying Tor DNS Exit List for IP 71.111.92.174 to destination 66.135.40.74 at port 80 ... Done.
    190 71.111.92.174 does not appear to be a Tor exit.
    191 }}}
     87An example implementation of this interface is available at [http://peertech.org/torel/ peertech.org/torel/].
    19288
    19389== Dig command line ==