3

Also directly related, how are the DNS servers queried when using proxychains? Assume I'm using Tor for proxychains.

If I uncomment the DNS part of proxychains.conf, my requests supposedly get sent straight to the Tor network. If this is the case, how is DNS resolving done? At what point? Does uncommenting that line in the conf file avoid the querying of my ISP's DNS server, and if so then how?

Many thanks.

4u53r
  • 141
  • 1
  • 4

1 Answers1

5

Part of this boils down to how proxychains works in general. In order to proxy traffic from arbitrary programs (that may or may not have proxy support), proxychains uses the LD_PRELOAD environment variable to load itself as a shared library into the program that is being called. Since it is "pre"-loaded, the functions exposed by the proxychains library take precedence over others, e.g. libc. This allows it to hook certain network related functions.

For example, when the program calls connect() on a TCP socket, proxychains has replaced the real connect() function with its own, one that instead knows how to shove the traffic through your configured proxies.

The same applies for DNS, although it is a slightly special case. The application will make a call to gethostbyname() (obsolete) or getaddrinfo() to perform DNS resolution. If the proxy_dns option is not specified in the configuration file, proxychains will call the unaltered libc function, resolving DNS normally through your system. If the proxy_dns option is present, it will instead redirect both functions ultimately to a modified version of gethostbyname() that is fairly more complicated.

This modified version actually doesn't do any DNS resolution at all. Instead, it creates a fake IP address in the reserved 224.x.x.x or 225.x.x.x range, and maps your requested hostname to it in a table (e.g. 224.1.2.3 --> www.example.com). This will come in handy later.

The application then makes a connection to the fake address returned above (224.1.2.3). Proxychain's hooked connect will then set up a connection to the configured proxy. It will then look up the fake IP address in the DNS table to retrieve the original hostname that you were requesting (proxychains says: `224.1.2.3? That was "www.example.com"). Depending on the type of proxy in use, it will request a connection to the original hostname through the proxy. The proxy performs the DNS requests on your behalf since it is the one making a connection to the real destination.

Specifically in your case, if you were to run:

$ proxychains curl https://example.com

The Tor SOCKS5 server will receive a request from proxychains such as:

Hello server! Connect me to www.example.com:443

The Tor SOCKS5 server will then handle everything; performing DNS resolution and sending your packets over the Tor network.

TL;DR: When the proxy_dns setting is enabled, no real DNS requests are made (or needed) from your end.

Source: Read the source code at https://github.com/haad/proxychains/

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
  • Is it the entry or exit relay/node that does the DNS resolving? The first or last proxy in the chain query a DNS server, and get the IP address? Also, what's the point of assigning a fake IP? Why not just have the domain name as is sent to the proxy to query? Thank you. – 4u53r Jan 21 '20 at 15:14
  • 1
    Here's an answer on DNS: https://tor.stackexchange.com/a/26. For your other question, it's because the hooked application calls `connect()`, which requires an IP address, not hostname. The fake IP address allows proxychains to look up the originally requested hostname when it translates that connect call to a proxy connection. – multithr3at3d Jan 22 '20 at 00:27
  • Thanks for the link, glad it ended up being the exit, because using the entry one would seem like a security flaw. So does connect() need DNS resolving to take place before being executed, because it requires an IP address and not a domain name? Is this why a fake IP is used temporarily, just so connect() can run on the host before packets are sent through the Tor network? – 4u53r Jan 28 '20 at 14:27
  • 1
    @4u53r yeah, that about sums it up. If you look at any C program that makes network connections, you should see the call to `gethostbyname`/`getaddrinfo` before `connect` is called for exactly that reason. – multithr3at3d Jan 28 '20 at 23:48