I want to make a note that compliance with RFC 7686 is breaking the usage of .onion addresses in transparent Tor proxying for non-Whonix VMs (and maybe for Whonix-Wrokstation in some cases with apps using c-ares) connected to Whonix-Gateway.
RFC 7686 states that:
Applications that do not implement the Tor
protocol SHOULD generate an error upon the use of .onion and
SHOULD NOT perform a DNS lookup.
It’s breaking curl and apps using c-ares (e.g. apt-cacher-ng (Apt-cacher-ng in debian-12-minimal does't work with onion repos - User Support - Qubes OS Forum )):
curl:master ← Kangie:rfc7686
opened 03:55PM - 07 Mar 23 UTC
RFC 7686 states that:
> Applications that do not implement the Tor
> protoco… l SHOULD generate an error upon the use of .onion and
> SHOULD NOT perform a DNS lookup.
Let's do that.
See curl/curl#543
https://www.rfc-editor.org/rfc/rfc7686#section-2
-----
I'm certain that this will inconvenience some people; I feel that any inconvenience is far outweighed by the benefits for those using (or trying to use) Tor.
I initially made this change into a default-on feature but decided against it. We're not Tor-aware, we should just refuse to resolve the `.onion` TLD.
If there's interest in making this a feature I'm willing to go back and do that so that anyone with a valid use case will be able to disable RFC 7686 protections while those that _need_ to be sure that we won't accidentally leak information can clearly see that their binary has this 'feature'.
c-ares:master ← bnoordhuis:fix196
opened 12:34PM - 22 Oct 18 UTC
Quoting RFC 7686:
Name Resolution APIs and Libraries (...) MUST either re… spond
to requests for .onion names by resolving them according to
[tor-rendezvous] or by responding with NXDOMAIN.
A legacy client may inadvertently attempt to resolve a .onion
name through the DNS. This causes a disclosure that the client
is attempting to use Tor to reach a specific service. Malicious
resolvers could be engineered to capture and record such leaks,
which might have very adverse consequences for the well-being
of the user.
Bug: #196
Discussions about this problem:
2 Likes
Thanks for the report!
I posted several replies in the Tor Project issue ticket.
Maybe some changes will be required for Debian bookworm + 1. If uwt can no longer use torsocks this will result in usability degradation for:
local connections
incoming connections (server ports, onion services)
Because then only explicit proxy configuration is possible.
Also applications that do not support proxy settings will be no longer able to connect to onions and I don’t think there’s a solution for that at time of writing except recompilation.
1 Like