Hi,
I noticed some unexpected answers in exitmap's [1] dnsenum results and suspected that this has todo with IPv4 vs. IPv6.
First I looked at [2] and found that it only lists IPv4 and hostnames as possible answers but then I realized that exitmap might not be using the RESOLVE command?
def resolve(self, domain): """ Resolve the given domain using Tor's SOCKS resolution extension. """ domain_len = len(domain) if domain_len > 255: raise error.SOCKSv5Error("Domain must not be longer than 255 " "characters, but %d given." % domain_len) # Tor defines a new command value, \x0f, that is used for domain # resolution. self._send_all("\x05\xf0\x00\x03%s%s%s" % (chr(domain_len), domain, "\x00\x00")) resp = self._recv_all(10) if resp[:2] != "\x05\x00": raise error.SOCKSv5Error("Invalid server response: 0x%s" % resp[1].encode("hex")) return socket.inet_ntoa(resp[4:8])
Does Tor's SOCKS resolution extension support IPv6 answers or does it only attempt A records?
I'm aiming to resolve a hostname and would like to get the IPv4 and if available the IPv6 address.
thanks, nusenu
[1] https://github.com/NullHypothesis/exitmap [2] https://gitweb.torproject.org/torspec.git/tree/control-spec.txt#n1349
On July 9, 2019 8:55:00 AM UTC, nusenu nusenu-lists@riseup.net wrote:
Hi,
I noticed some unexpected answers in exitmap's [1] dnsenum results and suspected that this has todo with IPv4 vs. IPv6.
First I looked at [2] and found that it only lists IPv4 and hostnames as possible answers but then I realized that exitmap might not be using the RESOLVE command?
Exitmap is using tor's RESOLVE extension to SOCKS: https://gitweb.torproject.org/torspec.git/tree/socks-extensions.txt#n49
def resolve(self, domain): """ Resolve the given domain using Tor's SOCKS1 resolutionextension.
""" domain_len = len(domain) if domain_len > 255: raise error.SOCKSv5Error("Domain must not be longer than255 "
"characters, but %d given." %domain_len)
# Tor defines a new command value, \x0f, that is used fordomain
# resolution. self._send_all("\x05\xf0\x00\x03%s%s%s" % (chr(domain_len), domain, "\x00\x00"))
Exitmap uses the SOCKS 5, resolve, DNS command: See page 4 of https://www.ietf.org/rfc/rfc1928.txt
resp = self._recv_all(10) if resp[:2] != "\x05\x00": raise error.SOCKSv5Error("Invalid server response: 0x%s"%
resp[1].encode("hex"))
Resolve can return an IPv4 or IPv6 response, but Exitmap ignores the address type, and turns the first 4 bytes of the response into an IPv4 address.
return socket.inet_ntoa(resp[4:8])Does Tor's SOCKS resolution extension support IPv6 answers or does it only attempt A records?
If it gets both IPv4 and IPv6, I think it will prefer IPv4.
Try testing with ipv6.google.com, which only has an IPv6 address.
I'm aiming to resolve a hostname and would like to get the IPv4 and if available the IPv6 address.
I don't know how you can reliably get the IPv6 address over SOCKS, when the site has an IPv4 address.
Try using the controller RESOLVE command and ADDRMAP event, which supports IPv6:
Address = ip4-address / ip6-address / hostname
If that doesn't work, we might need to make some changes to tor, or fix some bugs.
thanks, nusenu
[1] https://github.com/NullHypothesis/exitmap [2] https://gitweb.torproject.org/torspec.git/tree/control-spec.txt#n1349
-- teor ----------------------------------------------------------------------
Thanks this is very useful information.
# Tor defines a new command value, \x0f, that is used for
domain
# resolution.
self._send_all("\x05\xf0\x00\x03%s%s%s" % (chr(domain_len), domain, "\x00\x00"))
Exitmap uses the SOCKS 5, resolve, DNS command: See page 4 of https://www.ietf.org/rfc/rfc1928.txt The SOCKS request is formed as follows:
+----+-----+-------+------+----------+----------+ |VER | CMD | RSV | ATYP | DST.ADDR | DST.PORT | +----+-----+-------+------+----------+----------+ | 1 | 1 | X'00' | 1 | Variable | 2 | +----+-----+-------+------+----------+----------+
so in above python code the values are:
ver = \x05 cmd = \xf0 ("RESOLVE") - custom tor extension not in RFC rsv = \x00 atyp = \x03 (domain) dst.addr = domain variable dst.port = \x00\x00
from https://gitweb.torproject.org/torspec.git/tree/socks-extensions.txt#n49
- Name lookup
As an extension to SOCKS4A and SOCKS5, Tor implements a new command value, "RESOLVE" [F0]. When Tor receives a "RESOLVE" SOCKS command, it initiates a remote lookup of the hostname provided as the target address in the SOCKS request. The reply is either an error (if the address couldn't be resolved) or a success response. In the case of success, the address is stored in the portion of the SOCKS response reserved for remote IP address.
(We support RESOLVE in SOCKS4 too, even though it is unnecessary.)
For SOCKS5 only, we support reverse resolution with a new command value, "RESOLVE_PTR" [F1]. In response to a "RESOLVE_PTR" SOCKS5 command with an IPv4 address as its target, Tor attempts to find the canonical hostname for that IPv4 record, and returns it in the "server bound address" portion of the reply. (This command was not supported before Tor 0.1.2.2-alpha.)
The spec leaves multiple open questions:
- What does "initiates a remote lookup of the hostname" mean? The spec could be improved by saying "A" or/and "AAAA" DNS lookup is performed.
- There is no information about the response in torspec.git/tree/socks-extensions.txt at all?
Resolve can return an IPv4 or IPv6 response, but Exitmap ignores the address type, and turns the first 4 bytes of the response into an IPv4 address.
I modified exitmap to print the entire response in case the ATYP field is set to 04 (meaning the response contains an IPv6 address) but the response is not any longer and contains only the first 4 bytes of the IPv6 address.
Running tor 0.3.5.8.
Has this bug been fixed in later versions of tor or current master?
Running tor 0.3.5.8.
Has this bug been fixed in later versions of tor or current master?
moved to trac: https://trac.torproject.org/projects/tor/ticket/31115
I modified exitmap to print the entire response in case the ATYP field is set to 04 (meaning the response contains an IPv6 address) but the response is not any longer and contains only the first 4 bytes of the IPv6 address.
Running tor 0.3.5.8.
Has this bug been fixed in later versions of tor or current master?
My assumption was a bit to fast ;) exitmap just reads 10 bytes only:
resp = self._recv_all(10)
-
nusenu -
teor