Warning: Squid Proxy Causes Unavoidable DNS Leaks!
Abstract
I (PowerPenguin) have just recently discovered that the Squid proxy server produces DNS leaks, which according to the Squid documentation, do not seem to be avoidable. As a result, Squid's caching and HTTP/FTP header filtering are not considered to be worth the danger of making it possible for an attacker to sniff your DNS requests. For this reason, I strongly suggest that all Tor users refrain from using Squid in conjunction with Tor until a fix is found (not likely in the forseeable future, as of Sept, 2005).
- Fix="--disable-internal-dns" configuration option.
Technical Details
A dangerous DNS leak results from using Squid in conjunction with Tor and Privoxy/socat because Squid insists on doing it's own local DNS look-ups. There does not seem to be a way to disable this functionality, and thus force the proxy to tunnel its queries through the Tor network as required for security/anonymity. If you know of a way to fix this problem, please e-mail me or post to the mailing list, but as of now, all users should consider using Squid with Tor to be a critical security risk.
The good news about this recent research, however, is that Firefox 1.0.x does not appear to cause this same DNS leak behavior when used in conjunction with Tor+Privoxy only, as was originally the concern. The browser has been successfuly tested with both SOCKS v4 and v5, and therefore, all versions of Firefox 1.0.5 and higher are considered to be safe from DNS leak problems. Please note, however, that 1.0.x versions prior to 1.0.5 have not been tested. These older builds do contain a few important security flaws unrelated to Tor, so it would probably be a good idea to upgrade to the latest Firefox version regardless.
Some of the solutions described in Preventing Tor DNS Leaks can proxy DNS requests using mapaddress and avoid leakage by Squid.
Reporting Tor Bugs
If you come across any bugs (security related or otherwise) in the Tor program, please use our online bug-tracking system. If you're not sure if a problem of yours is a program glitch or just a config/use problem, please see our mailing list or IRC channel. All related information can be found on this page.