r14227@Kushana: nickm | 2007-08-27 11:33:28 -0400

Add a new ClientDNSRejectInternalAddresses option (default: on) to refuse to believe that any address can map to or from an internal address. This blocks some kinds of potential browser-based attacks, especially on hosts using DNSPort. Also clarify behavior in some comments. Backport candiate? svn:r11287
author: Nick Mathewson <nickm@torproject.org> 2007-08-27 15:33:58 +0000
committer: Nick Mathewson <nickm@torproject.org> 2007-08-27 15:33:58 +0000
commit: d3224bad42957bf2e1751c7a1731c8956e003530 (patch)
tree: 02b92176af96af5ce487d47adfffe5d3fefba5f3 /doc
parent: 0608ec71fdbd25da4195fd0e40ccd1bec7f3a0a5 (diff)
download: tor-d3224bad42957bf2e1751c7a1731c8956e003530.tar.gz
tor-d3224bad42957bf2e1751c7a1731c8956e003530.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/doc/tor.1.in b/doc/tor.1.in
index e53a89e263..1b57b17161 100644
--- a/doc/tor.1.in
+++ b/doc/tor.1.in
@@ -676,6 +676,13 @@ Bind to this address to listen for DNS connections.
 (Default: 127.0.0.1).
 .LP
 .TP
+\fBClientDNSRejectInternalAddresses\fP \fR\fB0\fR|\fB1\fR\fP
+If true, Tor does not believe any anonymously retrieved DNS answer that tells
+it that an address resolves to an internal address (like 127.0.0.1 or
+192.168.0.1).  This option prevents certain browser-based attacks; don't turn
+it off unless you know what you're doing.  (Default: 1).
+.LP
+.TP
 \fBDownloadExtraInfo\fP \fR\fB0\fR|\fB1\fR\fP
 If true, Tor downloads and caches "extra-info" documents.  These
 documents contain information about servers other than the information
author	Nick Mathewson <nickm@torproject.org>	2007-08-27 15:33:58 +0000
committer	Nick Mathewson <nickm@torproject.org>	2007-08-27 15:33:58 +0000
commit	d3224bad42957bf2e1751c7a1731c8956e003530 (patch)
tree	02b92176af96af5ce487d47adfffe5d3fefba5f3 /doc
parent	0608ec71fdbd25da4195fd0e40ccd1bec7f3a0a5 (diff)
download	tor-d3224bad42957bf2e1751c7a1731c8956e003530.tar.gz tor-d3224bad42957bf2e1751c7a1731c8956e003530.zip