On Sun, Apr 11, 2010 at 11:14:31PM +0100, Matthew wrote: >> If you change the options, you should see polipo query your local dns >> resolver either directly, or via gethostbyname. >> > But if you change it to "false" would that not be the safest option - > from what I can gather in this situation Polipo would never do its own > DNS.
As I understand it, the question is whether polipo should use the system call named gethostbyname(), or if it should use its own internal non-blocking dns resolve code. The question isn't "should polipo disable dns resolves or not". Back when I picked the "yes" answer, there were two reasons: A) polipo's internal dns resolve code didn't look at /etc/hosts, so when I set my proxy to localhost:9050, polipo would try to resolve "localhost", and it ended up asking my ISP where "localhost" was. My ISP helpfully answered 127.0.0.1, but what if my ISP had answered something else? Really bad news. B) There were some remote buffer overflows in polipo's internal dns resolve code. Given those, and since polipo shouldn't be doing any dns resolves anyway when it's using a socks5 proxy, I figured I'd go for the choice that exposed less surface area. I'm not sure whether either of these bugs are fixed at present (ugh). So I'd recommend sticking with yes (or true, I guess it's called now). --Roger *********************************************************************** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/