What information leaks through local DNS lookups when torrenting?

Using uTorrent + a Socks5 Proxy for anonymity, what kind of information might leak through local DNS lookups?

Here's my current config:

connection setup

As you can see, I enabled local DNS lookups, and it severly improves uTorrents handling of magnet-links (as in they finally work), but naturally I'm wondering what the sideeffects are.

Thanks for your help!

Edit: I am particularly wondering about whether this will allow third parties to identify one personally, for example, because you may be downloading copyrighted material. Assuming, of course, the Proxy holds its promise and leaks no information. What do these local DNS lookups actually do?

zuiqo

Posted 2014-11-22T18:41:48.597

Reputation: 676

Your ISP can see any data that you send in plain-text, not only DNS, and maybe other hackers/organizations can too. The only solution for information leak, is to use a VPN service. The cost is usually a few dollars per month. – harrymc – 2014-11-26T13:22:19.680

Answers

With DNS leaking from your machine, the only information that can be obtained are what IPs you are trying to connect to, unfortunately, this is not a small piece of information as it can tell a lot about your activities online, and you have to do something about it if you are really concerned.

From torrent perspective, it will be looking for trackers and/or peers by using DNS protocol (some of them not all as most of them use IPs not domains), also note that it may be possible to know that you are running a torrent software (i.e: if your connection to the SOCKS proxy server you are passing your traffic through isn't encrypted), and by monitoring your DNS traffic, it's also possible to detect/guess/narrow the information you are downloading, so if by third parties you mean individuals in your local network then yes it's possible to identify you, but form outside your local network and without the help from the inside then it's very hard to locate you in a legal way.

On the TOR project website, the following information can help you get a better understanding of how to handle the problem:

There are 3 versions of SOCKS you are likely to run into:

SOCKS 4 (which only uses IP addresses).

SOCKS 5 (which usually uses IP addresses in practice).

SOCKS 4a (which uses hostnames).

So what can you do? TOR project described the following solutions:

If your application speaks SOCKS 4a, use it.
Tor ships with a program called tor-resolve that can use the Tor network to look up hostnames remotely; if you resolve hostnames to IPs with tor-resolve, then pass the IPs to your applications, you'll be fine. (Tor will still give the warning, but now you know what it means.)

My suggestion is: if you are really concerned about anonymity, you can use softwares like tor-resolver especially while SOCKS 4a proxies are not always available.

As security and anonymity are always a trade-off with reliability, you have to choose how to fetch the magnet, the secure hard/slow way or the not necessarily secure but faster way.

Ash

Posted 2014-11-22T18:41:48.597

Reputation: 133

Thanks! Could you clarify "very hard to locate you in a legal way" please? – zuiqo – 2014-12-02T13:42:09.427

Getting inside a local network isn't legal without the permission of the network's owner, that's why I've mentioned but form outside your local network and without the help from the inside. In order to try to locate you from outside they have to kind of break in the network as networks usually use NATing technology or something similar, thus making it difficult to normally map the requests to you, but with the help of let's say a malware, they can make it do the nasty stuff for them. Invading of privacy illegally happened few weeks ago when authorities took down a blackmarket server. – Ash – 2014-12-03T07:19:50.730

Till the day I left following the lawyers' war between authorities and the owners of the black market server that were took down (which was even located outside USA), the authorities didn't clarify how they disclosed the server's location, nor did they provide any information regarding the defense claims that they did it in an illegal way, so this made a new record in invading privacy (not discussing here if it's for a good reason or not ofcourse!). – Ash – 2014-12-03T07:23:54.520

This comes in mind:

IP adresses of your peers via lookups or possibly reverse lookups
trackers you are using

Vlastimil Ovčáčík

Posted 2014-11-22T18:41:48.597

Reputation: 1 835

Why not find out yourself what kind of information you might be leaking. Since DNS lookups is the only proxy privacy setting you've not disabled, you can use Process Monitor to look for UDP Send operations initiated by uTorrent.

With uTorrent running and configured to use the SOCKS proxy, launch Process Monitor and set the filter to include events from uTorrent with the UDP Send operation like this: Procmon UDP Send filter

Click OK and when uTorrent performs DNS lookups, they will be logged by Process Monitor.

Vinayak

Posted 2014-11-22T18:41:48.597

Reputation: 9 310

The accepted answer is wrong.

A leaking DNS request does tell more than only the websites you are viewing. If for example you use the DNS of your ISP, a DNS request will leak which ISP you are using. As an attacker all you have to do is to run your own DNS server.

If you use a public DNS server like the one of Google you could still leak some details of your IP via edns-client-subnet.

tobltobs

Posted 2014-11-22T18:41:48.597

Reputation: 101