qbittorrent / qBittorrent

qBittorrent BitTorrent client
https://www.qbittorrent.org
Other
28.56k stars 4k forks source link

DHT is wrongly implemented #10042

Open buzztiaan opened 5 years ago

buzztiaan commented 5 years ago

qBittorrent version and Operating System

all that i can see

What is the problem

DHT doesnt follow specification

What is the expected behavior

only using discovered nodes to seed DHT

Steps to reproduce

use DHT

Extra info(if any)

using DHT contacts centralized servers to seed for peers, this leads to zero privacy for the qbittorrent users

https://github.com/qbittorrent/qBittorrent/blob/fc08091765bce91f1e2ceeb8056ab3621f0c2250/src/base/bittorrent/session.cpp#L1424

from the original spec; http://www.bittorrent.org/beps/bep_0005.html

A trackerless torrent dictionary does not have an "announce" key. Instead, a trackerless torrent has a "nodes" key. This key should be set to the K closest nodes in the torrent generating client's routing table. Alternatively, the key could be set to a known good node such as one operated by the person generating the torrent. Please do not automatically add "router.bittorrent.com" to torrent files or automatically add this node to clients routing tables.

sledgehammer999 commented 5 years ago

And if no torrent provides valid/existing nodes then we will fail to connect to the DHT.

I think you have a misguided concern for privacy here. In the DHT you literally advertise your IP and say "hey guys I have these torrents to offer" and you associate your IP with a bunch of infohashes.

But for you to enter the DHT you have to start from a known node/participant of the DHT. Connect to it and work your way into your correct place in the DHT (network topology IIRC). The above routers (eg router.bittorrent.com) provide a quick and easy way to enter the DHT (aka bootstrapping). They reply to you a bunch of DHT nodes and disconnect from you. Then you use those nodes to connect further into the DHT.

I think the warning they have put into the BEP was so that the router (aka server) won't get overloaded by a multitude of requests.

Seeker2 commented 5 years ago

Is this ignoring the proxy/VPN ip settings and instead reporting the real ip address to the DHT servers?!

sledgehammer999 commented 5 years ago

Is this ignoring the proxy/VPN ip settings and instead reporting the real ip address to the DHT servers?!

This is handled by libtorrent. I assume that it will use the configured proxy. If it doesn't then it is a bug. Same goes for the VPN.

buzztiaan commented 5 years ago

the nuance is just that it should only happen when no prior DHT clients are known

Chocobo1 commented 5 years ago

the nuance is just that it should only happen when no prior DHT clients are known

Reading from libtorrent doc it is already done this way:

This is a comma-separated list of IP port-pairs. They will be added to the DHT node (if it's enabled) as back-up nodes in case we don't know of any. This setting will contain one or more bootstrap nodes by default.

Seeker2 commented 5 years ago

DHT may be passing internal ip address for similar reasons that this happens: 4.1.5 send internal ip to tracker if network interface selected https://github.com/qbittorrent/qBittorrent/issues/10051

katastrophe92 commented 1 year ago

Hello. Hello 👋. NextDNS is blocking dht.aelitis.com. Should I place it on the DNS allowlist? . Thanks!

luzpaz commented 1 year ago

Is this an upstream libtorrent issue then ?