Discussion:
[tor-dev] DNS resolution isolation in Tor Browser
nusenu
2018-06-14 16:22:00 UTC
Permalink
Hi,

I haven't been able to answer this question by looking into the Tor Browser design document,
maybe you have an answer:

imagine you have two tabs in Tor Browser:

1: torproject.org (circuit A)
embeds some youtube.com content

2: google.com (circuit B)
embeds some youtube.com content

it will route the TCP connection via two distinct circuits (A and B) as described in the design
document [1]


Will DNS resolution be isolated using the same logic?

torproject.org and youtube.com will be resolved via circuit A
and
google.com and youtube.com will be resolved via circuit B

Is that correct?

thanks!



[1] https://www.torproject.org/projects/torbrowser/design/#identifier-linkability
--
https://mastodon.social/@nusenu
twitter: @nusenu_
Roger Dingledine
2018-06-14 22:49:16 UTC
Permalink
Post by nusenu
1: torproject.org (circuit A)
embeds some youtube.com content
2: google.com (circuit B)
embeds some youtube.com content
it will route the TCP connection via two distinct circuits (A and B) as described in the design document [1]
Correct.
Post by nusenu
Will DNS resolution be isolated using the same logic?
Yes.
Post by nusenu
torproject.org and youtube.com will be resolved via circuit A
and
google.com and youtube.com will be resolved via circuit B
Is that correct?
Yes.

(In the distant past, the Tor client would cache DNS answers on the
client side, so when a later circuit requests the same address, it can
just provide the IP address, saving the exit relay from having to do
an unnecessary resolve. But that's bad for isolation, and it's bad for
geodns designs (where the dns server gives you an answer tailored for
your current location, so re-using that answer from a different location
is not best), and also it doesn't actually save the exit relay that much
since it *can* cache its resolves.)

--Roger
teor
2018-06-14 22:51:13 UTC
Permalink
Post by nusenu
Hi,
I haven't been able to answer this question by looking into the Tor Browser design document,
1: torproject.org (circuit A)
embeds some youtube.com content
2: google.com (circuit B)
embeds some youtube.com content
it will route the TCP connection via two distinct circuits (A and B) as described in the design
document [1]
Will DNS resolution be isolated using the same logic?
Tor Browser does not perform DNS resolution.

Instead, Tor Browser uses SOCKS to send DNS names directly to Tor as part of
the SOCKS TCP connection request.

Tor sends the DNS name to the exit as part of the stream request.

The exit resolves the DNS name, then opens the TCP connection to the exit.

So DNS and TCP connections have exactly the same isolation, because there is
no separate DNS resolution step in the browser or on the Tor client.

T
nusenu
2018-06-14 23:16:00 UTC
Permalink
Thanks for the replies.


Does tor simply assume (try) that the exit policy allows the destination
address (not the port) or does it check the exit policy before selecting
the circuit?
(in that case it would have to know the destination IP
before building or at least selecting the circuit to use)
--
https://mastodon.social/@nusenu
twitter: @nusenu_
teor
2018-06-15 01:58:15 UTC
Permalink
Post by nusenu
Thanks for the replies.
Does tor simply assume (try) that the exit policy allows the destination
address (not the port) or does it check the exit policy before selecting
the circuit?
(in that case it would have to know the destination IP
before building or at least selecting the circuit to use)
Most tor clients use microdescriptors, which only contain a port summary:
https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt#n1494

Clients check the port, and assume that the DNS name will resolve to an IPv4
address allowed by the exit.

T

Loading...