Clarify that ClientRejectInternalAddresses also rejects mDNS *.local hosts

Fixes #17070.

3 files changed, 8 insertions, 2 deletions

diff --git a/changes/17070 b/changes/17070
new file mode 100644
index 0000000000..ffe616f38d
--- /dev/null
+++ b/changes/17070
@@ -0,0 +1,4 @@
+  o Documentation (SOCKS connections):
+    - Clarify that when `ClientRejectInternalAddresses` is enabled (which is the
+      default), multicast DNS hostnames for machines on the local network (of
+      the form *.local) are also rejected.  Closes ticket 17070.
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index aa3859e0fe..c4219d96b0 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -1414,7 +1414,8 @@ The following options are useful only for clients (that is, if
     If true, Tor does not try to fulfill requests to connect to an internal
     address (like 127.0.0.1 or 192.168.0.1) __unless a exit node is
     specifically requested__ (for example, via a .exit hostname, or a
-    controller request).  (Default: 1)
+    controller request).  If true, multicast DNS hostnames for machines on the
+    local network (of the form *.local) are also rejected.  (Default: 1)
 
 [[DownloadExtraInfo]] **DownloadExtraInfo** **0**|**1**::
     If true, Tor downloads and caches "extra-info" documents. These documents
diff --git a/src/common/address.c b/src/common/address.c
index 773e688554..fa6630ef92 100644
--- a/src/common/address.c
+++ b/src/common/address.c
@@ -2100,7 +2100,8 @@ get_interface_address,(int severity, uint32_t *addr))
 }
 
 /** Return true if we can tell that <b>name</b> is a canonical name for the
- * loopback address. */
+ * loopback address.  Return true also for *.local hostnames, which are
+ * multicast DNS names for hosts on the local network. */
 int
 tor_addr_hostname_is_local(const char *name)
 {