Compliance with RFC 7686 is breaking transparent Tor proxying

I want to make a note that compliance with RFC 7686 is breaking the usage of .onion addresses in transparent Tor proxying for non-Whonix VMs (and maybe for Whonix-Wrokstation in some cases with apps using c-ares) connected to Whonix-Gateway.

RFC 7686 states that:

Applications that do not implement the Tor
protocol SHOULD generate an error upon the use of .onion and
SHOULD NOT perform a DNS lookup.

It’s breaking curl and apps using c-ares (e.g. apt-cacher-ng (Apt-cacher-ng in debian-12-minimal does't work with onion repos - User Support - Qubes OS Forum)):

Discussions about this problem:


Thanks for the report!

I posted several replies in the Tor Project issue ticket.

Maybe some changes will be required for Debian bookworm + 1. If uwt can no longer use torsocks this will result in usability degradation for:

  • local connections
  • incoming connections (server ports, onion services)

Because then only explicit proxy configuration is possible.

Also applications that do not support proxy settings will be no longer able to connect to onions and I don’t think there’s a solution for that at time of writing except recompilation.

1 Like