Hi, On Tue, Apr 17, 2018 at 02:24:42PM +0100, Kevin Steen wrote: > Since the queries are invalid and the tor proxy address is configured in > apt.conf, these queries shouldn't be generated. The report gave me some headache as the queries aren't invalid. It seems relatively unlikely that a user really does "redirection" of localhost services via SRV, but its technically allowed, valid & not completely unheard of ($searchengine e.g. easily finds instances for XMPP). Its usually also not a problem as most people will have a caching DNS server either right on their box (systemd-resolved for example) or on their (trusted) network like their router – and those will resolve them locally as they know perfectly well that a more upstream DNS server will not have a better answer (rfc6761 defines that as a SHOULD). Its "only" bad if you interact directly with a sufficiently evil DNS server that answers the SRV with the address of an evil SOCKS proxy – that would be very sad (but isn't that different to the problem with DNS at large in this situation). Anyway, the solution was way too obvious… instead of complex conditional disabling of SRV and stuff we can just default to 127.0.0.1 instead of localhost (which in perfect hindsight is obviously what most other tools working with Tor do). I have done that in src:apt (which for technical reasons is where this part of apt-transport-tor lives), so our next major release (1.7) will include that. If you don't want to wait you can set the option yourself of course, but note that due to an apt bug, apt will do a very pointless SRV query for IP addresses… (fixed as well in the next release) which kinda defeats the point. So you could also disable SRV queries – but that will effect all queries (Acquire::EnableSrvRecords "false";). [I will keep that bugreport open for the moment, so I can add a paragraph about this to the README and apply a tighter Recommends: apt (>= 1.7~something) then its released.] Best regards David Kalnischkies
Attachment:
signature.asc
Description: PGP signature