Tuesday, August 29, 2006

Tor Detection and NXDOMAIN

Interesting problem with our Real-Time Tor Detection service we have discovered while testing our Cloak On! privacy service: some Tor exit nodes are not listed in the Tor cached-routers file, resulting in our service not correctly identifying the IP Address as a Tor node. We suspect it is related to the IP Address being listed in the Domain Name System as status NXDOMAIN, but have not yet confirmed this. It may even be an anomaly in the Tor system itself, but we will gather more evidence before we contact the Tor developers with our findings.

Our Cloak On! privacy service has an option to use the Tor network for http, https, and ftp access to any internet servers. We found ourselves yesterday coming from IP Address 149.9.0.27 which is apparently not a Tor node, but given that we were using the Tor network we knew that it must be a Tor node. We could see this was an IP Address owned by PSI (Performance Systems International) and apparently located in Washington, DC in the USA. But the DNS system advises this domain does not exist (status NXDOMAIN) and has no corresponding domain name. Traceroute fails to find 149.9.0.27 as though it is hidden behind some servers in some way we do not yet understand. Traceroute gets as far as Rethem.demarc.congentco.com (also owned and operated by Performance Systems International located in Washington, DC but registered to Cogent Communications) but no further.

Update! Just found a discussion thread about this issue on http://archives.seul.org/or/talk/Aug-2006/threads.html which seems to indicate this is something the Tor developers are aware of and working to resolve. It appears that both 149.9.xxx.xxx and 154.35.xxx.xxx are part of this anomaly. Good news. Will followup when we have more details...

Update Oct 7: Still no further developments on this issue. We believe there is a flaw in the Tor system that allows this, but do not yet understand enough to develop a way to counter it, and do not yet understand the comments about this issue posted by the Tor developers - which seem to indicate they do not consider this a significant issue!

3 comments:

ericswan said...

I recently purchased a laptop with a wireless internet connection. I have a fixed IP but the laptop has indicated a "different" IP as the source of my connection. Dell is not one of my favorite corporations as far as privacy goes nor is Microsoft. What's going on here?

Privacy Ecosystem WebMaster said...

you see the "different" IP when you go to http://www.showmyip.com ?

what ISP and Owner/Org do you see on showmyip.com ? do they seem correct to you?

having a fixed IP is relatively unusual in my experience - maybe you could speak with your ISP that supplied you - and bills you - for your fixed IP address?

on the other hand, I have heard from some customers who get a fixed IP address but are forced to go through their ISP's proxy for all internet access, and are limited in where they can browse to - maybe your wireless connection is allowing you to get around this restriction? whose wireless router are you connecting through, if this is the case?

michael_google blogger_gersten said...

Actually, the "Tor nodes not being identified as a Tor node" issue still happens. My system -- which has dynamic IP, and valid DNS lookup -- is one of the systems that is listed as "not a tor node" when it is a busy tor node (20-30 KB/s bandwidth for Tor).