Cloudflare Integrates Tor Hidden Services to its DNS Services
Cloudflare has launched Tor integrated DNS services. The service is a Domain Name System (DNS) resolver which is similar to URLs such as ‘Cloudflare.com’ with their specific and corresponding numerical IP addresses. This helps users locate where a given domain is geographically hosted and can thereafter match it up with associated servers and hardware devices. This means that the name of the domain gives people all the details and information on who has the control and ownership of a particular website.
According to Cloudflare, the process involved wiping its manual logs that did not write clients IP addresses, saying that most privacy-sensitive people may never have wanted to disclose their IP address in any case to the resolver, a decision the company respect.
Cloudflare global outage
In a statement, Cloudflare has announced that there was an outage on the resolver service indicating that it was a glitch in its own system and not a cyber-attack. “Thanks to a coding oversight in our Gatebot DDoS mitigation pipeline.”
The Gatebot is able to offer protection against many different types of DDoS attacks on Layer 7, Layer 4 and Layer 3 by collecting and measuring live traffic to automatically detect malicious traffic as well as choose the appropriate mitigation logic and executing it on the edge.
After gaining the new code release, Gatebot immediately began intercepting resolver traffic on Cloudflare network as an attack hence locking it down. This is because one of the changes made in the new release involves automating the process in which Gatebot determines if an address is a Cloudflare IP address or not. The developer had failed to account for IP address range exception during the integration.
According to a post by the company:
Provision API is a RESTful API is simply used to give this kind of information. Earlier before its existence, Gatebot had to do full configuration to determine whether an IP addresses is Cloudflare by reading a long list of networks from a hand coded file hence we integrated a new code that linked Gatebot to Provision AIP. What was not included by the coders, was the Gatebot’s hand-coded list of Cloudflare addresses in a manual exception for the 188.8.131.52/24 and 184.108.40.206/24 recursive DNS resolver IP ranges. The whole idea on the fix was simply getting lid of the manual hand coded gotchas. Gatebot, the DDoS automatic mitigation logic system, is very powerful and we failed to conduct a thorough test of the changes. However, we are using this incident to work and improve our internal system. The whole idea was to get rid of the hardcoded Gotchas.
It is a difficult and cautionary tale for those tasked with the job of coding the complex algorithms which go into the automated mitigation logic. The resolver’s address dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion.rent, which is accessible through tor.cloudflare-dns is as complex as it looks since it’s the main public key that is used in communication encryption with the hidden service. It uses HTTP Alt-Svc header to send notifications to the browser on where and how to gain access to the source. The post noted is usually supported by Mozilla with Firefox Nightly offering a .onion.rent addresses as an alternative service.
This header notifies the browser that the .onion.rent address is available for tor.coudflare-dns.com such as the case of SOCKS proxy, and thereafter the browser proceeds to check the security information such as the server name and certificates. If all is okay with the security details, the browser proceeds to send requests to the alternative service which is the hidden Tor resolver, making sure that your other requests in future do not leave the Tor network.
According to Cloudflare, there are several other protections available in the package, offering a hidden service:
In particular, users are protected against deanonymization attacks and malicious exit nodes which can unmask a user’s browsing details, or even strip the SSL. The only perfect solution to such attacks is to completely eliminate the necessity for those exit nodes by use of hidden service instead. In case your client does not directly support encrypted DNS queries, the use of a hidden resolver service can secure your connection against on-path attacks as well as BGP hijacking attacks.
The post adds giving instructions on how to configure the Cloudflare daemon so as to use the service. Users are also reminded not to use the service in production since it is still in the early stages of experimentation.