localhost.localdomain DNS lookup leaks to Tor circuits
Since switching to Stretch I noticed odd activity that would come up in Tor circuits when first connecting to the Tor network. Sometimes (not always - exact conditions unknown) there will be visible entries of localhost.localdomain:0 shown as coming out at the Tor exit in the OnionCircuits display.
I’m guessing (have not confirmed) that something that has been upgraded is making localhost.localdomain DNS lookup requests and instead of being intercepted/filtered/handled at the /etc/hosts file it’s going into the DNS resolver and out of the connected circuits.
Right now the /etc/hosts file reads as:
127.0.0.1 localhost amnesia
It should probably read as:
127.0.0.1 localhost localhost.localdomain amnesia
::1 localhost localhost.localdomain amnesia
My guess is that something does a “hostname” or “hostname -f” request and gets back “localhost.localdomain” response which fires at the DNS resolver which may or may not be connected yet. If it’s not connected yet things may continue without anything noticable in OnionCircuits whereas if the connection process is quicker there is a localhost.localdomain:0 set of requests fired down the circuits.
One obvious concern here is the Tor exit actually responding and provides an IP other than 127.0.0.1 causing localhost communication to actually try to resolve to a foreign server. Hopefully the existing firewall would intercept that (if the app making the requests is not the Tor process it should intercept that) and prevent a rather grave data leak. It has the potential to be disastrous but I don’t think it actually is with the present security configuration.
Best I can figure… an evil Tor exit could potentially redirect your traffic on your LAN with a bunk DNS resolution but given they don’t actually know where you are that (again) doesn’t seem like an immediate threat.
I’ll put the information out there and let you decide if it should be escalated.