Adam Borowski wrote:
> Hi!
> When a client tries to resolve an .onion name, bind will leak such a request
> to the outside internet (a forwarder or a root server). This is forbidden
> by RFC7686 which demands that both caching and authoritative servers return
> NXDOMAIN without looking that up.
>
> IP 10.0.1.6.45589 > 10.0.1.2.domain: 10992+ A? duskgytldkxiuqc6.onion. (40)
> IP 10.0.1.6.45589 > 10.0.1.2.domain: 5143+ AAAA? duskgytldkxiuqc6.onion. (40)
> IP 10.0.1.2.28166 > e.root-servers.net.domain: 5403% [1au] A?
> duskgytldkxiuqc6.onion. (51)
> IP 10.0.1.2.39325 > e.root-servers.net.domain: 51890% [1au] AAAA?
> duskgytldkxiuqc6.onion. (51)
> IP 10.0.1.2.60534 > e.root-servers.net.domain: 54017% [1au] NS? . (28)
> IP e.root-servers.net.domain > 10.0.1.2.28166: 5403 NXDomain*- 0/6/1 (654)
> IP e.root-servers.net.domain > 10.0.1.2.39325: 51890 NXDomain*- 0/6/1 (654)
>
> A fix would be to add to named.conf.default-zones
> zone "onion" {
> type master;
> file "/etc/bind/db.empty";
> };
Hi,
RFC 7686 registers the use of .onion into the IANA "Special-Use Domain
Names" registry, established by RFC 6761:
http://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
https://tools.ietf.org/html/rfc6761
There's already a bug open to update BIND's set of empty zones to
conform with the behavior listed in the Special-Use registry, see
#55032. Yes, a 5-digit bug number :-)
--
Robert Edmonds
[email protected]
