mastodon - Link to source

Tor has introduced this new cool tool they call oniux. On the page announcing it they show off a #curl command line that hasn't worked for two years... since curl nowadays refuses to resolve .onion names like RFC 7686 says.

blog.torproject.org/introducin…


Introducing oniux: Kernel-level Tor isolation for any Linux app | Tor Project

Introducing oniux: Kernel-level Tor isolation for any Linux app. This torsocks alternative uses namespaces to isolate Linux applications over the Tor network and eliminate data leaks.
blog.torproject.org
#curl

daniel:// stenberg:// reshared this.

in reply to daniel:// stenberg://

mastodon - Link to source

daniel:// stenberg://

Discussed here: github.com/curl/curl/issues/17…

Impossible to use `curl` to resolve `.onion` addresses using Tor Project's `oniux` tool · Issue #17363 · curl/curl

I did this The Tor Project just announced this very cool tool called oniux: oniux is a tool that utilizes various Linux namespaces(7) in order to isolate an arbitrary application over the Tor netwo...
GitHub
in reply to daniel:// stenberg://

mastodon - Link to source

Wolf480pl

looking at the torproject discussion about this gitlab.torproject.org/tpo/core…

and it seems like an irresolvable problem.

On one hand you have people setting up LANs that have all their outbound traffic sent through Tor, and are supposed to work with any tor-unaware device.

On the other hand, saying "the LAN you're in is behind Tor" is exactly what an attacker would say to induce user devices to leak onion lookups...


Formalize toggle override for non-Tor applications that follow RFC 7686 (#202) · Issues · The Tor Project / Core / Tor Specifications · GitLab

Suggestion to formalize environment variable name ALLOW_DOT_ONION (or other) to be set to toggle and enable DNS lookup of the .onion TLD where an application otherwise would...
GitLab
in reply to daniel:// stenberg://

mastodon - Link to source

Petr Menšík

blocking special name resolution in the applications, without defined way to indicate when such resolution should be safe, were asking for this exact problem. Tor expected only whole applications to be onion enabled, not VPN-like behaviour. Perhaps special option in resolv.conf could enable passing onion names to DNS servers specified there. Local resolvers often block it properly anyway. Ideally it should have separate nsswitch module and not using common DNS plugin.
in reply to daniel:// stenberg://

mastodon - Link to source

Petr Menšík

it seems to me this RFC cannot work with network or system level .onion support and should be replaced.

I think applications need API to query system resolver, whether DNS is handled by localhost or trusted resolver. And if .onion names are considered a special handled domain. I think we lack both on Linux now.

This RFC assumes only per-application support can be safe. Applications should query the OS support and enable it if indicated. But resolver related apis are ancient already.