benjojo
commented
2 years ago Amusingly I just shutdown six-onions since v2 services are end of life. I was thinking about how to do v3, and concluded a custom DNS server and (redirected IPv6 range + proxy translator) (just like in the original six-onions)
The idea being I think similar to what you suggested, is that you "mint" v6 addresses on demand that link the the much longer onion addresses to v6 addresses. And have some long ish TTL for them (like 24 hours) and a rate limit to prevent database growth based attacks.
ivucica
github-actions[bot]
KnockKnockWho
Is your feature request related to a problem? tun2socks would be a cool way to access not just the public Internet over SOCKS proxies including Tor, but also Tor hidden services -- and do so with programs that are otherwise unaware of SOCKS4A or SOCKS5. In fact, it could transparently tunnel other devices on the network.
However, this means IP-based systems need to be able to resolve the hostnames to some IP address before even attempting the connection, and tun2socks needs to be aware of what hostname to use in the request from the SOCKS server (as the IP address would simply not work).
Tor happens to use either:
Describe the solution you'd like v2 hostnames are mappable to IPv6: 80 bits fits into a /48. This was previously done by @benjojo: a small nameserver resolving
AAAArecords, and an ip6tables-based redirection to a small Go program, which then tunnels traffic over SOCKS5 to Tor. See six-onions. The IPv6 netblock would be configurable.It feels like building this DNS server and the mapping-back-to-hostnames process into this tun2socks would be a cleaner solution. Perhaps it could listen for UDP+TCP traffic on a configurable IPv4 or IPv6 address, or be disabled and don't try to forcibly turn hostnames back into hostnames.
Since Tor's v3 hostnames mean the above hack conveniently fitting 80-bits into an IPv6 address won't work, a more generalized solution (which then works for non-Tor situations as well) would be better in either Ben's work, or here:
mapwith maximum capacity, or with a TTL on each entry, mapping IPv6 address in the 'general traffic' netblock to a hostnamemap, and use appropriate hostname when talking to the SOCKS5 proxy accordinglymapThis might complicate the
proxy/socks5.gocode, so it may make sense to create a new wrapper around the socks5 implementation.Describe alternatives you've considered Hypothetically all this could be done outside of tun2socks -- but it seems like tun2socks is the perfect place to inspect that
map.For instance, one could write a combined SOCKS5 proxy+local DNS server in front of the actual SOCKS5 proxy such as Tor, which would replace the IPv6 address provided by tun2socks with the hostname recorded by the DNS server during the AAAA record resolution, and only then pass on traffic to Tor.
Another alternative is to patch up @benjojo's work, but this seems like an even hackier approach.
All in all, I feel like this belongs inside tun2socks -- as long as it can be switched off for use cases that do not require this.
Additional context I've noticed that README_ZH.md is slightly different and that it explicitly says 'no DNS'. Machine translation:
I mostly agree with the statement about DHCP, and I mostly agree about DNS: however, the need to record AAAA->hostname reverse mapping makes this a difficult thing to pull off outside tun2socks, since tun2socks is the one that decides what hostname to use when talking to Tor.
A priori, I don't know enough about gVisor nor about the old go-tun2socks implementation to judge whether tun2socks is really the best place to do this.
Would you say this is worth exploring?