- contribute
- design
- Tor enforcement
- DNS
- ttdnsd broken
These issues were discovered when ttdnsd was in the default DNS resolution loop. Since then, we decided (85zk731slu.fsf@boum.org) to pull ttdnsd out of the "normal" DNS resolution loop, but leave it installed, configured and running. This was done in Tails 0.13.
the bugs
ttdnsd
can't resolve
Running:
host -t A boum.org 127.0.0.2
produces the result:
;; connection timed out; no servers could be reached
In Tails' ttdnsd
is configured to use Google's DNS server
(8.8.8.8
) which seem to have started to block connections
originating from the Tor network. Configuring ttdnsd
to use OpenDNS
(208.67.2222.222
) instead fixes this issue.
ttdnsd
has concurrency issues, part 1 (upstream bug?)
In Tails, when Iceweasel starts, ttdnsd
crashes. When Iceweasel
starts it concurrently does an A and AAAA query for several of the
search engines and the startpage. It seems like this is the cause of
ttdnsd
crashing. A crash can reliably be reproduced the following
way:
host -t A boum.org 127.0.0.2 &
host -t AAAA boum.org 127.0.0.2 &
It has been verified via packet sniffing that ttdnsd indeed gets both the A and AAAA queries sent by iceweasel (which is weird, see below), which creates the same situation as running the two commands above.
Running ttdnsd with the -c
option seems to prevent the crash, but
then no circuits are built, so ttdnsd
is still useless.
It seems this crash only occurs when ttdnsd
is configured to use a
DNS server that blocks the Tor network, like Google DNS. Switching to
OpenDNS prevents the crash, but...
ttdnsd
has concurrency issues, part 2 (upstream bug?)
When using OpenDNS, running:
host -t A boum.org 127.0.0.2 &
host -t AAAA boum.org 127.0.0.2 &
fails with the same old timeout error for both requests. It seems
ttdnsd
can only handle one request at a time; if a request is made
while it handles another, both fails.
ttdnsd
gets A queries (it shouldn't)
A fine question is why ttdnsd
gets both the A and AAAA
requests. Tails' system resolver, pdnsd
, is configured to first use
Tor's resolver (i.e. DNSPort
), which should work for A requests, and
fallback to ttdnsd
only if the former failed, i.e. for all non-A
requests. Explicitly using the system resolver shows this expected
behaviour:
host -t A boum.org 127.0.0.1 &
host -t AAAA boum.org 127.0.0.1 &
i.e. Tor's resolver handles At and ttdnsd
handles AAAA.