Page MenuHome GnuPG
Create Task
Maniphest T5823

DNS srv problem with Tor transparent proxy
Closed, ResolvedPublic
Actions

Description

When I use Whonix Gateway and route all traffic trough Tor on another virtual machine (not Whonix Workstation), I can't get the pgp key through the key servers, because Tor can't resolve DNS srv record.

When I resolve IP address manully, and use it, I can.
Or when I route traffic trough vpn and use other dns server (not Whonix's 10.152.152.10), then and in this case I can.

It's important, because people, who routing traffic trough Tor (for example, not only using whonix, wi-fi routers too) can't get keys from keyservers.

Technical information:

Whonix-Gateway: 16.0.3.7
Virtual machine: debian bullseye (stable)
GnuPG: 2.2.27
Dirmngr: 2.2.27

Command: gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B

Details

Version
2.2.27

Event Timeline

ascii-nickname created this task.Feb 10 2022, 1:20 PM
ascii-nickname added a comment.Feb 10 2022, 1:45 PM

https://paste.debian.net/1230431

user@debian:~$ gpg --debug-all --keyserver hkp://keyserver.ubuntu.com --recv-key
s DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: reading options from '/home/user/.gnupg/gpg.conf'
gpg: reading options from '[cmdline]'
gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog
gpg: DBG: [not enabled in the source] start
gpg: DBG: chan_3 <- # Home: /home/user/.gnupg
gpg: DBG: chan_3 <- # Config: /home/user/.gnupg/dirmngr.conf
gpg: DBG: chan_3 <- OK Dirmngr 2.2.27 at your service
gpg: DBG: connection to the dirmngr established
gpg: DBG: chan_3 -> GETINFO version
gpg: DBG: chan_3 <- D 2.2.27
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KEYSERVER --clear hkp://keyserver.ubuntu.com
gpg: DBG: chan_3 <- OK
gpg: DBG: chan_3 -> KS_GET -- 0xDF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: DBG: chan_3 <- ERR 219 Server indicated a failure <Unspecified source>
gpg: keyserver receive failed: Server indicated a failure
gpg: DBG: chan_3 -> BYE
gpg: DBG: [not enabled in the source] stop
gpg: keydb: handles=0 locks=0 parse=0 get=0
gpg: build=0 update=0 insert=0 delete=0
gpg: reset=0 found=0 not=0 cache=0 not=0
gpg: kid_not_found_cache: count=0 peak=0 flushes=0
gpg: sig_cache: total=0 cached=0 good=0 bad=0
gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0

outmix=0 getlvl1=0/0 getlvl2=0/0

gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
gpg: secmem usage: 0/65536 bytes in 0 blocks

user@debian:~$ nslookup keyserver.ubuntu.com
Server:10.152.152.10
Address:10.152.152.10#53

Non-authoritative answer:
Name:keyserver.ubuntu.com
Address: 162.213.33.9

  • server can't find keyserver.ubuntu.com: NXDOMAIN

user@debian:~$ gpg --keyserver hkp://162.213.33.9 --recv-keys DF9B9C49EAA9298432589D76DA87E80D6294BE9B
gpg: key DA87E80D6294BE9B: "Debian CD signing key <debian-cd@lists.debian.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1

werner added a subscriber: werner.Feb 15 2022, 7:32 AM

Guess why GnuPG has its own Tor aware resolver ;-) To debug this kind of stuff you need to debug dirmngr, by adding for example

debug ipc,dns,network
log-file FOO

to dirmngr.conf. And pretty please use a decent version of gpg.

werner closed this task as Resolved.Feb 25 2022, 9:15 AM
werner claimed this task.
werner edited projects, added Not A Bug; removed Bug Report.