I want to resolve onion addresses

[kaizushi]

I did this

Curl will not resolve onion addresses anymore on my system. This is because of RFC 7686, and the change was made because of DNS leakage. I have a good handle on any possible DNS leakage and do not need this feature, and it in fact breaks my system. I use transparent proxying, and I am certain DNS leakage is impossible here.

curl/libcurl version

curl 8.0.1 (x86_64-pc-linux-gnu) libcurl/8.0.1 OpenSSL/1.1.1t zlib/1.2.13 libidn2/2.3.4 nghttp2/1.51.0
Release-Date: 2023-03-20
Protocols: dict file ftp ftps http https imap imaps mqtt pop3 pop3s rtsp smtp smtps tftp
Features: AsynchDNS HTTP2 HTTPS-proxy IDN IPv6 Largefile libz NTLM SSL threadsafe TLS-SRP UnixSockets

operating system

Gentoo Linux (default/linux/amd64/17.1/hardened/selinux)

[ehyoitsdavid]

Sorry but that violates RFC 7686 #10705

[klikevil]

@ehyoitsdavid

Sorry but that violates RFC 7686 #10705

Yeah but you can't even force it with torify or proxychains... Isn't that kind of silly especially when you can specify a socks host/port? Like it wouldn't be hard to run a check to see if the socks proxy used the same default port as tor and if it is allow it or if it is able to resolve the DNS fine with a preloaded library like tsocks/torify/proxychains then just allow the request through?

[bagder]

Curl will not resolve onion addresses anymore on my system

That's a bit surprising since 0ae0abb was merged after 8.0.1. .onion blocking is introduced in 8.1.0 for the first time. You are seeing something else or are running another version.

We could consider adding an option that allows a user to change this behavior.

[bagder]

in the socks5 protocol dns resolution happens at the program that provides the proxy

When you connect to tor in a normal setup, you do not let curl resolve the host name because it can't resolve .onion hosts. Thus you use the kind of socks that sends the host name to the proxy so that it can figure it out.

If you would instead ask curl to resolve .onion names, it would send those queries to your DNS server (and leak their names to lots of servers and networks along the way) and then get an error back and it can't continue.

So this is why I ask for actual use cases. Because I think you're asking for features you don't quite understand.

[Pachin0]

Ignore my comment, curl does resolve the onion sites if given the --socks5-hostname option

[klikevil]

@Pachin0

Looks completely broken for me now.

$ curl --version
curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 OpenSSL/3.1.4 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.3 libpsl/0.21.2 (+libidn2/2.3.3) libssh2/1.11.0 nghttp2/1.58.0 librtmp/2.3 OpenLDAP/2.5.13
Release-Date: 2023-12-06, security patched: 8.5.0-2
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

proxychains curl https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/
ProxyChains-3.1 (http://proxychains.sf.net)
curl: (6) Not resolving .onion address (RFC 7686)

$ curl -v --socks5 localhost:9050 https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/
* Host localhost:9050 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:9050...
* connect to ::1 port 9050 from :: port 43805 failed: Connection refused
*   Trying 127.0.0.1:9050...
* Connected to localhost (127.0.0.1) port 9050
* Not resolving .onion address (RFC 7686)
* Closing connection
curl: (97) Not resolving .onion address (RFC 7686)

[bagder]

@klikevil you're just bringing back old topics that add nothing. You're using the wrong proxy option. If you want the proxy to resolve the host name, which you typically do for tor, you'd use -x socks5h:// or --socks5-hostname.

[dfandrich]

curl implemented this to follow RFC 7686 which states Applications that do not implement the Tor protocol SHOULD generate an error upon the use of .onion and SHOULD NOT perform a DNS lookup. curl & libcurl do not implement the Tor protocol, so "Please be reasonable" to me means to follow the RFCs.

[bagder]

Gentoo literally implements this already

If they do, they do it outside of curl and then it's not up to curl anymore. curl 8.0.1 is not aware of .onion. You are barking up the wrong tree.

I recommend that this option be provided at compile time

In your curl version it doesn't even exist. You can call it compile time if you want - and you can't enable it.

I think "it breaks my weirdo use case" is a weak argument when there is a clear RFC saying how things should work.

[thesamesam]

Please speak to the Tor people about the best way to achieve this, as they don't seem to agree with an environment variable either, per the discussion in #11236 -> https://gitlab.torproject.org/tpo/core/torspec/-/issues/202#note_2909909.

[Pachin0]

bro, --resolve-onion is too complex? Please don't bikeshed open source software like this. We've been using flags for stuff like this since eons ago. If want you want is mess with how tor and proxies work please refrain from doing so. Curl should just have the flag.

[klikevil]

Completely agree, wget works just fine, but curl now can't work with onion urls at all even when libraries are preloaded? It's bonkers!

[bagder]

@klikevil curl works fine with Tor and SOCKS and has done so for decades. You are not helping.

[thesamesam]

IIRC we backported @Kangie's patch in Gentoo once it'd been reviewed, but OP was already having issues because we switched to enabling adns by default. We don't do anything else to do with proxies and it's purely their setup.

[thesamesam]

I don't think that has much to do with what I said. I was just giving more context as to what happened.

[Kangie]

Hi all,

I thought this might come up (and alluded to it in my PR). I was alerted to this being an "issue" due to Gentoo bug 887287.

TL;DR: depending on how cURL was compiled before (using internal or c-ares DNS resolution) you would get different results when attempting to resolve .onion addresses, as sometime in 2018 c-ares implemented RFC7686 while cURL did not.

The PR both resolved a longstanding known issue with cURL where we were not respecting RFC7686 and ensured consistency between DNS resolution backends.

@kaizushi: You're a Gentoo user. Please feel free to use portages localpatches function to patch out the RFC7686 checks; the PR has been linked here and you only need to worry about the 8 lines in lib/hostip.c. This will enable you to continue to continue to run your unique tor system configuration without opening any other users up to potential .onion leakage.

@bagder Sorry about the 8.0.x confusion, the onion resolution stuff got patched in Gentoo a little early as I knew I'd be away for a bit around the 8.0.0 release and wanted to ensure that our users weren't vulnerable.

[Kangie]

@kaizushi, we've discussed this in IRC.

I originated this patch and I maintain the net-misc/curl package in Gentoo.

For 8.0.1 in Gentoo, the patch was backported and is applied by portage. You can find it here.

For 8.0.1 remove that patch (preferably in a non ::gentoo repo to save you some effort). For 8.1.0+ revert that patch in localpatches.

That is all that there is to it.

I accept that your particular use case for cURL + .onion resolution is valid, however the RFC we're adhering to came from the TOR developers and protects the greatest possible number of users from accidentally leaking information via DNS lookups while seemingly inconveniencing only you.

Anyone who is sufficiently technically competent to run a system as complex as yours (I'm thinking maybe whonix, as a potential example) is competent enough to build their own cURL binary with this functionality patched out.

[Pachin0]

It costs 0 dollars to a flag, or a Env variable that simply covers the use case. What is the point if the software does not try to cover valid use cases? What is curl doing except serving the user and that is done covering valid setups. I find you attitude very petty considering your alternative for not adding a flag to this old behaviour being each user brings their own build of curl everywhere and to all devices on their network (if it is transparent proxied). Just add a flag and stop having a power trip.

[bagder]

@Pachin0 you are not helping by being hostile. Please remain friendly and constructive. This topic has partially continued in #11236

[Pachin0]

Fair enough, I apologize for the tone.

[Kangie]

It costs 0 dollars to a flag, or a Env variable that simply covers the use case. What is the point if the software does not try to cover valid use cases? What is curl doing except serving the user and that is done covering valid setups.

What we're doing is being compliant with the RFC originated by the Tor developers. If you check the PR you'll see that I considered it and decided against it.

[Pachin0]

Don't use proxychains with curl, use its flag --socks5-hostname and it should resolve everything properly. @kaizushi

in my setup
curl --socks5-hostname localhost:9050 youronionsite.onion

[huihuimoe]

Hi, I have implemented a centralized tor outbound in my internal network. As well I implemented a dns resolver for the .onion root domain. I'm pretty sure they don't cause dns leaks and are only available to internals.
They work fine with curl 7.88.1, like this:

# curl -vI https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion
*   Trying *.*.*.*:443...
* Connected to dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion (*.*.*.*) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: jurisdictionC=US; jurisdictionST=Delaware; businessCategory=Private Organization; serialNumber=4710875; C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=tor.cloudflare-dns.com
*  start date: Dec 14 00:00:00 2022 GMT
*  expire date: Dec 13 23:59:59 2023 GMT
*  subjectAltName: host "dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion" matched cert's "dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: HEAD]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x557b914e0c70)
> HEAD / HTTP/2
> Host: dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion
> user-agent: curl/7.88.1
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 200
HTTP/2 200
< date: Tue, 20 Jun 2023 **:**:** GMT
date: Tue, 20 Jun 2023 **:**:** GMT
< content-type: text/html
content-type: text/html
< nel: {"report_to":"cf-nel","max_age":604800}
nel: {"report_to":"cf-nel","max_age":604800}
< last-modified: Thu, 04 Aug 2022 19:10:01 GMT
last-modified: Thu, 04 Aug 2022 19:10:01 GMT
< strict-transport-security: max-age=31536000
strict-transport-security: max-age=31536000
< served-in-seconds: 0.002
served-in-seconds: 0.002
< cache-control: max-age=600
cache-control: max-age=600
< cf-cache-status: DYNAMIC
cf-cache-status: DYNAMIC
< server: cloudflare
server: cloudflare

<
* Connection #0 to host dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion left intact

But with curl 8.1 this behavior was broken (even with the --resolve flag manually added) and I had to roll back the version to get the program back to normal.

$ curl -vi https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion --resolve "*:443:*.*.*.*"
* Added *:443:*.*.*.* to DNS cache
* RESOLVE *:443 using wildcard
* Not resolving .onion address (RFC 7686)
* Could not resolve host: dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion
* Closing connection 0
curl: (6) Not resolving .onion address (RFC 7686)

Is it possible to add a compatibility flag to make the old program work as well?
For example an --i-want-to-resolve-onion flag

[milahu]

see #11236

[Kangie]

OK, I'm going to do a drive-by revival of this discussion and then safely ignore it for a while.

Current status (July '23):

• cURL >= 8.1.0 will not resolve .onion domains intentionally with any DNS backend. Previously the Asynch resovler (c-ares) would refuse this post ~2018.
• https://gitlab.torproject.org/tpo/core/torspec/-/issues/202 has been raised with Tor upstream
  • a 'RESOLVE_ONION' envvar is not considered an acceptable (or cross platform) solution
  • cURL won't implenent any non-standand envvars (for good reason)

My personal thoughts are that adding an envvar for this is a short-sighted band-aid solution at best; we (that is, you, the people who care about this) can do better.

To quote my last update upstream:

The issue here seems to be less about 'find a workaround for .onion resolution' and more
How can client applications (safely):

• discover that they're in a Tor-enabled environment
• resolve onion services only via Tor in that circumstance
• not leak .onion resolution attempts at all

Right now, not making these requests in the first place is the safest (and correct) thing to do, however inconvenient it may be.
Rather than immediately trying to come up with a band-aid approach a sane mechanism needs to be implemented to:

• Prevent each application from coming up with their own solution
• Prevent inconsistency in .onion resolution (i.e. no "oh it only leaks if DO_ONION_RESOLUTION is set")
• Provide a standardised mechanism for applications that want to be Tor aware to discover that they're in a Tor-enabled environment.

Unfortunately, this isn't something that cURL can resolve. I would encourage those that are interested in this topic to continue the discussion along these lines upstream. The above question (and implied RFC compliance) does bring me to another question that I have: Is transproxying the recommended / sane approach for what you want to do?

I see a lot of unsupported claims of better security from individuals with these "interesting" network configurations, but no real-world evidence that it's the better / preferred approach (and I'm not digging into it myself right now, nor will I engage in flame wars on the topic here).

Please consider that those using custom transproxy (or SOCKS) configurations make up a very small proportion of total Tor users.

My primary concern in this matter is the far greater number of non-technically-inclined users who are at risk of accidentally leaking that they're using Tor to an adversary and ending up imprisoned (or worse...). I don't think that anyone is necessarily wrong for wanting their existing solution to work, but I do think that anyone complaining about this (and not working to find a real solution) is failing to see the bigger picture.

If you have the expertise to run a complex environment please revert the cURL RFC 7686 patches and build your own binary (on my laptop that takes about 90 seconds [including running tests]); groups such as Tails or Whonix who provide turnkey environments will probably consider doing this anyway.

[milahu]

a workaround is to explicitly use a tor socks5h proxy

usually this is 127.0.0.1:9050

- torsocks curl http://gg6zxtreajiijztyy5g6bt5o6l3qu32nrg7eulyemlhxwwl6enk6ghad.onion
+ curl --proxy socks5h://127.0.0.1:9050 http://gg6zxtreajiijztyy5g6bt5o6l3qu32nrg7eulyemlhxwwl6enk6ghad.onion

- torsocks git clone http://gg6zxtreajiijztyy5g6bt5o6l3qu32nrg7eulyemlhxwwl6enk6ghad.onion/RightToPrivacy/Gitea-Onion
+ git -c remote.origin.proxy=socks5h://127.0.0.1:9050 clone http://gg6zxtreajiijztyy5g6bt5o6l3qu32nrg7eulyemlhxwwl6enk6ghad.onion/RightToPrivacy/Gitea-Onion
+ # TODO ideally avoid this:
+ git -C Gitea-Onion config --add remote.origin.proxy socks5h://127.0.0.1:9050

see also https://gitlab.torproject.org/tpo/core/torsocks/-/issues/40016 - torsocks fails to set socks5h proxy for curl, git, ... - Not resolving .onion address (RFC 7686)

[eli-schwartz]

I have no idea of and no opinion on the curl C code or how maintainable (or not) it is with and without the proposed change.

However I'd like to make a general commentary on the philosophical idea of code.

Specifically, difficult to maintain code is difficult to maintain code regardless of how many lines of code it is. The number of lines of code is almost totally irrelevant to this; what matters is architectural design, whether code causes side effects from the perspective of other code, how "clever" a particular line of code is in terms of abusing strange language features, whether the code has unittests, whether the code constitutes a subsystem in need of a dedicated maintainer, etc.

Please discuss the maintainability of the proposed code based on the merits of the code, not based on incorrect metrics such as how many lines it takes up in a textual source file.

(Yes, if you contribute changes to a project I maintain, I will absolutely treat "just 20 lines" as seriously as a 15k line change in terms of reviewability and maintainability. Both are serious topics. How many lines the code is, is one of many factors that influences the final decision.)

[bagder]

brainstorm mode enabled

libcurl

transfer options are set in libcurl with curl_easy_setopt(), and I would imagine this could be a new option there. It could possibly be made as a generic CURLOPT_NAME_OPTIONS with a bit for dot-onion handling, or a CURLOPT_IGNORE_ONION option with just a single boolean argument.

If done proper, we should be able to create a unit test to verify it.

curl

Add a new option --ignore-onion, which is the default and then --no-ignore-onion then disables the ignore. curl already supports .curlrc by default so it is easy for a user to set this by default for all curl operations.

[jzakrzewski]

Sounds sane to me.
I'd go with the generic CURLOPT_NAME_(RESOLUTION_?)OPTIONS flags.

[Kangie]

IMO this is overboard. If we have to do something about this, just treat RFC compliance as a default-enabled feature so that users can toggle it at compile time, and so that if this ever comes up a quick curl --version means that we can safely ignore anyone with this turned off. I'm trusting that distributions will do the right thing here, obviously.

Edit: To be clear, I don't agree with making this change in the first place, but if we have to make it, let's do it in a way that keeps DNS resolution behaviour consistent with the way that the binary was compiled.

I've asked around on the upstream development mailing list and have had no response; we can probably wait a while before taking action either way - at this point any downstreams that care to are already maintaining their own patchset while Tails and Whonix just use a socks proxy.

That's actually a pretty good argument for maintaining the status quo, now that I think about it.

[milahu]

or should this be more generic?
like an entry in /etc/resolv.conf and an environment variable like DNS_ALLOW_DOT_ONION=1
then this would affect getaddrinfo in libc
related: glibc bug 24255 - resolver should handle special domains correctly

moving this issue upstream to glibc would be nice...

edit 2024-02-24: i left a comment on glibc bug 24255

then to allow resolving .onion domains
we could add something like this to /etc/resolv.conf

option allow-domains *.onion

/etc/nsswitch.conf feels like the wrong place for this

the issue also affects other DNS clients like drill, kdig, unbound-host, dig, host, nslookup, resolvectl, ...

DNS Conditional forwarding

It is possible to use specific DNS resolvers when querying specific domain names. This is particularly useful when connecting to a VPN, so that queries to the VPN network are resolved by the VPN's DNS, while queries to the internet will still be resolved by your standard DNS resolver. It can also be used on local networks.

To implement it, you need to use a local resolver because glibc does not support it.

[Ninpo]

brainstorm mode enabled

libcurl

transfer options are set in libcurl with curl_easy_setopt(), and I would imagine this could be a new option there. It could possibly be made as a generic CURLOPT_NAME_OPTIONS with a bit for dot-onion handling, or a CURLOPT_IGNORE_ONION option with just a single boolean argument.

If done proper, we should be able to create a unit test to verify it.

curl

Add a new option --ignore-onion, which is the default and then --no-ignore-onion then disables the ignore. curl already supports .curlrc by default so it is easy for a user to set this by default for all curl operations.

While this is incredibly admirable open source effort, do be sure this is the right thing to do/concession to make, considering TOR people wrote the RFC that sparked this whole thing. AIUI TOR is intended to be a completely anonymised practically sandboxed browsing experience, libcurl is practically ubiquitous across a huge surface of open source as well as private projects. "App leaks TOR user information due to improper use of libcurl" becomes a possibility with this decision. I'm not implying misuse is the responsibility of you the maintainer, I am simply pointing out that you're opening a door for it that's previously been closed due to adherence to an RFC that intended to close it.

[milahu]

"App leaks TOR user information due to improper use of libcurl" becomes a possibility with this decision.

thats like saying "we should prohibit all drugs, because 1% of all people are too stupid to use them, and they will hurt themselves." oh wait, most people actually are that stupid, and support this policy...

curl's default config would still be "never resolve onion domains", and if users disable this protection, its "at own risk". if an attacker has access to this config, again, it's the user's fault, not curl's fault.

https://gitlab.torproject.org/tpo/core/torspec/-/issues/202

An example of an application that refuse to resolve the .onion TLD by default is Firefox, where it is available as a toggle in about:config by setting the network.dns.blockDotOnion boolean to false.

[Ninpo]

"App leaks TOR user information due to improper use of libcurl" becomes a possibility with this decision.

thats like saying "we should prohibit all drugs, because 1% of all people are too stupid to use them, and they will hurt themselves." oh wait, most people actually are that stupid, and support this policy...

curl's default config would still be "never resolve onion domains", and if users disable this protection, its "at own risk". if an attacker has access to this config, again, it's the user's fault, not curl's fault.

https://gitlab.torproject.org/tpo/core/torspec/-/issues/202

An example of an application that refuse to resolve the .onion TLD by default is Firefox, where it is available as a toggle in about:config by setting the network.dns.blockDotOnion boolean to false.

You need to calm down and consider this from a higher level, broader strokes perspective. It's nothing like potential drug abuse; it does however add rather wide reaching considerations for developers, system administrators, sec ops and code reviewers as soon as the option exists.

I'd actually suggest asking TOR to modify the RFC to sanction these kinds of overrides if they're going to happen, so people looking up the TOR spec are informed adequately. Going off spec historically causes problems and this isn't an exception no matter how much you want your own personal little Hackers cosplay to work the way you say it should.

[scottpedia]

I agree with you on that the scenario described by the RFC is highly imaginary. We cannot decide what's best for the users, and they need to make their own choices with the most degrees of freedom we can offer.

[lattera]

Hey all,

I have started on a pull request to provide the plumbing needed to make the prohibition on .onion a choice that could be opted in to or out of: #11993

[scottpedia]

Can somebody point me to the reason why .onion is not supposed to be resolved by non-tor software? How do we define "Applications that do not implement the Tor protocol"? Say there's a browser that has nothing to do with the Tor protocol, but can be configured to use a socks5 proxy. Is it considered "Applications that do not implement the Tor protocol"? My browser gives me the option to select whether to use proxy for DNS resolution, which has been working sufficiently for me when using Tor circuit. While the DNS problem can be perfectly solved in a very general way aforementioned, why is it necessary to force all non-tor software to give error when resolving .onion domain names?

[eli-schwartz]

https://www.rfc-editor.org/rfc/rfc7686#section-2

2. Application Software: Applications (including proxies) that implement the Tor protocol MUST recognize .onion names as special by either accessing them directly or using a proxy (e.g., SOCKS [RFC1928]) to do so. Applications that do not implement the Tor protocol SHOULD generate an error upon the use of .onion and SHOULD NOT perform a DNS lookup.

[dfandrich]

It's all in RFC 7686.

[scottpedia]

The RFC in question is dated October 2015. Why is it only implemented recently?

[Kangie]

The RFC in question is dated October 2015. Why is it only implemented recently?

Developer interest, time, and necessity.

There was an abortive attempt a while ago (#5159) but it never got through to being merged. I encountered a bug report about different .onion handling (see the #10705 discussion) downstream and permanently fixed the issue via RFC compliance through both DNS resolution paths. That's really all there is to the timing aspect.

[Kangie]

IMHO it seems that if the analysis is correct, then it should be primarily up to Tor to define a mechanism to ensure DNS leak safety.

That's why we have an RFC to comply with. To paraphrase it says "(for applications) do not attempt to resolve onion addresses unless you are tor aware."

Until such a mechanism (or at least a definition thereof) exists, and is practical to implement, that curl should not support the proposed capability. It someone wants to fork curl and add support, that is their business, but putting the capability prematurely into curl does not seem prudent and, being predictive, would possible result in a CVE.

If there was a sane, standards compliant, mechanism for an application to discover that it is in a Tor-enabled environment without inadvertently putting users at risk due to DNS leakage we'd implement it here. As you've identified though, deviation from the standard might result in behaviour that puts users at risk.

Remember that this "issue" only impacts the transparent proxy scenario where all traffic is funneled into Tor without the applications being aware that there behind a proxy - we're not blanket preventing access to Tor / onion addresses.

If I've misunderstood your point I apologise, but from where I'm sitting it looks like you've misunderstood where this is coming from.

[thesamesam]

curl/curl/discussions/11125#discussioncomment-7275200

Why the dislike, @thesamesam? What @Pachin0 stated appears sensible to me.

I don't think it was a polite way to address others and it also ignores the substantive discussion which has taken place. "You people" and a "mess" are not going to move a discussion forward.

(also, the technical reasons to not implement that suggestion have been well covered here)

[rsbeckerca]

@Kangie I do not think we are disagreeing.

[milahu]

If there was a sane, standards compliant, mechanism for an application to discover that it is in a Tor-enabled environment without inadvertently putting users at risk due to DNS leakage we'd implement it here.

only the user knows, if his LAN gateway can safely resolve .onion domains

solutions: #11125 (reply in thread)

[dfandrich]

POP-3 support was added 21 years after the POP-3 RFC came out. That's just when it happened.

[adrelanos]

https://lists.torproject.org/pipermail/tor-dev/2023-November/014862.html provides new insights by Silvio Rhatto from torproject.org.

Quote:

But the RFC explicitly mentions "Applications" and not "Libraries".

We could say that users interact with applications, and these rely on
libraries. By the RFC interpretation above, it's in the application level that
.onion resolution should be allowed or not. It just don't make any statement
about what libraries SHOULD or SHOULD NOT do, or even how a system resolver
should behave.

So this should be reverted from c-ares. It's a bug. It should have never been implemented in a library. Maybe the library can provide functionality but the decision logic to use this or not is supposed to be in the application side.

There was no opposition against options to change these settings either.

So applications could easily allow environment variables, command line
flags, configuration parameters or "environment detection" to indicate that
they support .onion domains.

The only missing thing is a standardized recommendation how to disable this. Meanwhile I suggest environment variable ALLOW_ONION and command line option --allow-onion. Tor Project hasn't expressed that they would be offended if applications provided options to change this behavior. curl and other applications are completely free to implement options.

[eli-schwartz]

So this should be reverted from c-ares. It's a bug. It should have never been implemented in a library. Maybe the library can provide functionality but the decision logic to use this or not is supposed to be in the application side.

I would say that the decision logic being required to be in the application is actually an argument against reverting it.

The only valid option is, of course, to remove all API and ABI support for existing programs and require them to use brand new APIs that include this decision as a parameter.

Every application must become tor-aware in order to use c-ares, because c-ares isn't allowed to make decisions about whether or not its own API is, and must belligerently challenge all its API consumes. A decision such as, for example, "if you need to support right now, include some decision logic that calls into an alternative library".

Tor Project hasn't expressed that they would be offended if applications provided options to change this behavior. curl and other applications are completely free to implement options.

I don't think the curl project is worried about causing offended feelings.

Just about https://xkcd.com/927/

[Kangie]

I ducked out for a bit as I was busy with real life.

c-ares is a DNS resolution library. They are REQUIRED not to resolve onion addresses.

I am still not in support of having curl resolve onion differently based on DNS backend.

I am also not in favour of dropping the asynch dns resolver to remove this block.

Do you have any productive ideas?