Connecting to an onion service leaks DNS requests to clearnet
Upon connecting to any .onion account/server the client performs a DNS lookup for _xmppconnect.[...].onion which leaks the requested onion service to the users DNS resolver and its upstreams.
You can watch this happen by running sudo tcpdump udp port 53 -vv -X
in any terminal window and then connecting to any (valid or not) .onion.
I don't python, but a patch like the following should fix the issue
diff --git a/gajim/common/connection.py b/gajim/common/connection.py
index 571e00d30..90b0bafd0 100644
--- a/gajim/common/connection.py
+++ b/gajim/common/connection.py
@@ -1078,12 +1078,16 @@ class Connection(CommonConnection, ConnectionHandlers):
h = hostname
p = 5222
ssl_p = 5223
+ use_txt = True
if use_custom:
h = custom_h
p = custom_p
ssl_p = custom_p
if not self.redirected:
use_srv = False
+ if h.endswith('.onion'):
+ use_srv = False
+ use_txt = False
self.redirected = None
# SRV resolver
@@ -1095,7 +1099,7 @@ class Connection(CommonConnection, ConnectionHandlers):
]
self._hostname = hostname
- if h:
+ if h and use_txt:
app.resolver.resolve('_xmppconnect.' + helpers.idn_to_ascii(h),
self._on_resolve_txt, type_='txt')