Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Google Chrome leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
From: Valdis.Kletnieks () vt edu
Date: Tue, 15 Dec 2009 07:01:22 -0500

On Tue, 15 Dec 2009 10:14:31 +0100, Milan Berger said:

the only way to avoid DNS leaks despite most application configuration
is a transparent Tor proxy that intercepts all DNS and TCP at the
network layer and performs a redirect to the Tor Tcp and DNS Ports.
(see man page.)

Tor proxies are
a) not the best way
b) many apps like firefox enable using proxy for dns as well as other

Not bullshit at all. Taking the points in reverse order:

(b) Note that 'many apps" means "mostly avoid", not "totally avoid".   You run
any app that's not DNS-proxy aware, you just leaked and whoever you're using
Tor to avoid is now potentially pounding on your door. Sure, the difference
doesn't matter if you're using Tor to be a cool wanker. But if you're using
Tor because it *matters*, "98% of apps get it right themselves" is a big
*fail*. You really want to enforce 100% correctness whether the app is
correct or not. (Stated in another way - sometimes DAC just doesn't cut
it, and you really *do* want the added complication of MAC).

(a) If you have a better way than a Tor proxy to avoid DNS leaks from
programs that don't DNS-proxy themselves, feel free to actually *tell*
us what it is, rather than just babble "they aren't the best way". Given
you got the *other* point totally wrong, we have no reason to believe a
content-free 'not the best way' unless you actually have an evaluatable
statement like 'XYZ is better'.

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]