Polipo config - what does this mean?

Discussion in 'privacy technology' started by dumpydonk, Apr 1, 2010.

Thread Status:
Not open for further replies.
  1. dumpydonk

    dumpydonk Registered Member

    Joined:
    Mar 11, 2010
    Posts:
    22
    I am wondering if anyone knows what this entry means and can translate this into some variant of non-techy English?

    # Uncomment this to disable Polipo's DNS resolver and use the system's
    # default resolver instead. If you do that, Polipo will freeze during
    # every DNS query:

    dnsUseGethostbyname = yes

    Thanks
     
  2. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,091
    Hi dumpdonk,

    You can find out the answer to this question and many others by going to the Polipo developer's website and downloading the documentation PDF manual. Read section: 3.9 The domain name service.

    Look at the above link for the developer's website at the bottom of the webpage or in the right-hand panel near the top - they are both the same.

    The problem you cite in your message is because the value of dnsUseGethostbyname is not yes or no, but true and false. Lean toward false if possible, otherwise, your default ISP DNS server may be involved. I have my router's IP address specified in my /etc/resolv.conf file, and in my router I have configured OpenDNS for the primary and secondary DNS servers in both the wired and wireless entries.

    -- Tom
     
    Last edited: Apr 1, 2010
  3. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    that command is to:
    Gets the DNS information for the specified DNS host name
    http://msdn.microsoft.com/en-us/library/system.net.dns.gethostbyname.aspx

    and DNS resolver is to all to do with caching the results of DNS queries (internet names) including queries that fail to resolve. The results get stored in dns cache that in turns is made available to browser or anything that can make use of it and all of that should speed up the action (because the answer is that much quicker being stored locally rather then finding out on the net every time)

    so the option allows you to chose between polipo's built in dns resolver or using the windows or linux built in one
     
  4. dumpydonk

    dumpydonk Registered Member

    Joined:
    Mar 11, 2010
    Posts:
    22
    I see your point and have now read the manual. I have no idea why my config file said "yes".

    I wonder how Polipo would have processed this since "yes" does not exist as an answer?

    Anyhow, according to section 3.9 of the Polipo .pdf there are four choices: false, reluctantly, happily, and true.

    By "resolver" I assume this is something where my computer will contact the local DNS server (that is my ISPs DNS)?

    The problem I have is that I am not on a home network but an academic network. I cannot for example use ICMP because this is blocked and nor can I set my own DNS servers in resolv.conf. I tried to do exactly what you have done with Open DNS and the Internet was uncontrollable.

    Therefore I have set the config file to "reluctantly" since I do not think I am able to use a DNS other than my ISPs DNS. Does that sound OK?

    Anyhow, if all DNS requests are processed through Polipo then Tor what is the problem if my ISPs DNS is used?

    Thanks.
     
  5. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,091
    Hi dumpydonk,

    You have modify a variable in the FF about:config file to get remote dns: search for dns and you will find; network.proxy.socks-remote_dns - modify it to True. Atthe moment, I am usng a diffrent browser, but I think there is another variable that also needs to be set to True. I posted about it in one of the privacy threads here.

    The point is that when you use your ISP's DNS servers, they can log your requests.

    -- Tom
     
  6. dumpydonk

    dumpydonk Registered Member

    Joined:
    Mar 11, 2010
    Posts:
    22
    Thanks - I will test your about:config suggestion.

    Yes, but if I am using Tor, all they see is I have connected to the first Tor node.
     
  7. dumpydonk

    dumpydonk Registered Member

    Joined:
    Mar 11, 2010
    Posts:
    22
    This is your previous post regarding about:config.

    I assume when you say that the ISP will log your DNS usage you mean if a user is using Firefox and Tor without any HTTP proxy. In that case, yes, DNS requests would leak.

    But I am sure most people use Polipo or Privoxy to pass browser DNS requests through Tor and therefore this leakage does not happen, right?

    Thanks again.
     
  8. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,091
    Unless they have not modified their browser configuration to use Tor exit node DNS servers.

    -- Tom
     
  9. dumpydonk

    dumpydonk Registered Member

    Joined:
    Mar 11, 2010
    Posts:
    22
    I think there is some confusion here.

    If you are using Tor (with no HTTP proxy) then network.proxy.socks_remote_dns must be "true". If it is "false" then viewing the Tor log file shows multiple complaints of leakage.

    However, if you are using Tor with Polipo or Privoxy then it does not matter what network.proxy.socks_remote_dns says. This is because the HTTP proxy is intercepting DNS requests and pushing them through Tor.

    I have tested Firefox as follows:

    Tor with network.proxy.socks_remote_dns true = no leak.
    Tor with network.proxy.socks_remote_dns false = leak.
    Tor and Polipo with network.proxy.socks_remote_dns true = no leak.
    Tor and Polipo with network.proxy.socks_remote_dns false = no leak.

    See:

    For a long time Firefox did not send DNS queries trough the SOCKS5 proxy so often people had to use the Privoxy - SOCKS4a proxy server with it. Today it is no longer needed and you can avoid Privoxy (assuming you don't want to use it for its ad filtering or caching abilities). However the option to send queries trough the proxy is not enabled by default in Firefox. To enable it go to the about:config dialog, find the item network.proxy.socks_remote_dns and set it to true.

    http://sysphere.org/~anrxc/j/articles/tor/index.html

    And from the official documentation:

    An http proxy is not needed between a web browser and Tor for functionality. It's there to work around bugs in the Firefox SOCKS layer. In modern firefox 3.0 and newer, there is an option called "network.proxy.socks_remote_dns" that is set by torbutton. This forces dns lookups over the configured socks proxy server, which with torbutton, is Tor.

    Other apps may leak dns requests, these can be captured by setting a DNSPort or iptables tricks, or using a proxy between the app and tor.

    https://blog.torproject.org/blog/tor-02120-released
     
Loading...
Thread Status:
Not open for further replies.