Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • T tails
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 933
    • Issues 933
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 18
    • Merge requests 18
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • tails
  • tails
  • Issues
  • #13574

Closed
Open
Created Aug 03, 2017 by tailshark@tailshark

localhost.localdomain DNS lookup leaks to Tor circuits

Originally created by @tailshark on #13574 (Redmine)

Hi,

Since switching to Stretch I noticed odd activity that would come up in Tor circuits when first connecting to the Tor network. Sometimes (not always - exact conditions unknown) there will be visible entries of localhost.localdomain:0 shown as coming out at the Tor exit in the OnionCircuits display.

I’m guessing (have not confirmed) that something that has been upgraded is making localhost.localdomain DNS lookup requests and instead of being intercepted/filtered/handled at the /etc/hosts file it’s going into the DNS resolver and out of the connected circuits.

Right now the /etc/hosts file reads as:
——
127.0.0.1 localhost amnesia
——

It should probably read as:
——
127.0.0.1 localhost localhost.localdomain amnesia
::1 localhost localhost.localdomain amnesia
——

My guess is that something does a “hostname” or “hostname -f” request and gets back “localhost.localdomain” response which fires at the DNS resolver which may or may not be connected yet. If it’s not connected yet things may continue without anything noticable in OnionCircuits whereas if the connection process is quicker there is a localhost.localdomain:0 set of requests fired down the circuits.

One obvious concern here is the Tor exit actually responding and provides an IP other than 127.0.0.1 causing localhost communication to actually try to resolve to a foreign server. Hopefully the existing firewall would intercept that (if the app making the requests is not the Tor process it should intercept that) and prevent a rather grave data leak. It has the potential to be disastrous but I don’t think it actually is with the present security configuration.

Best I can figure… an evil Tor exit could potentially redirect your traffic on your LAN with a bunk DNS resolution but given they don’t actually know where you are that (again) doesn’t seem like an immediate threat.

I’ll put the information out there and let you decide if it should be escalated.

Feature Branch: https://gitlab.com/tailshark/tails/commits/bugfix/13574-etc-hosts-localhost-localdomain-loopfix

Attachments

  • 9000-hosts-file
  • 9000-hosts-file

Related issues

  • Related to #15322 (closed)
  • Blocks #13598 (closed)
Edited May 21, 2020 by tailshark
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking