aboutsummaryrefslogtreecommitdiffstats
path: root/doc/dns-dhcp.txt
blob: 1ff24f580922688d03da97a3255227016b1df618 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

### The DNS and DHCP scheme is Complicated

A common problem is DNS leaking, which happens when TCP connections go through
the tor network correctly, but the initial DNS lookup (to find the remote's IP
address) goes over UDP (which tor does not support) "out of band", aka over the
regular old upstream network connection. In this case an observer might not see
the contents of a connection, but they can see which remote hosts you are
connecting to, and when.

The Tor daemon has a DNS server built in to get around the UDP problem, and
also does transparent proxying of hidden service URLs (.onion domains), but it
only implements the A and AAAA IP records.

Some DNS servers allow connections over TCP (which means requests can be
tunneled through the tor network itself), and the ttdnsd utility can act as a
proxy that accepts local UDP requests and tunnels them out through TCP.
However, regular DNS servers can't do .onion hidden service lookups, so they
aren't a complete solution.

A hybrid configuration directs .onion requests to the Tor daemon and all other
requests via TCP through the tor network to well known DNS servers. 

### Implementation

torouter itself (the base configuration) uses the OpenDNS and Google servers,
as configured in /etc/resolv.conf.

TODO: /etc/resolv.conf gets clobbered with local DHCP-based settings

ttdnsd is used to make upstream requests via TCP over the Tor network. It is
configured in /etc/default/ttdnsd and listens for requests on port 5354.

Tor is configured (in /etc/tor/torrc) to listen locally on port 5353 of address
172.16.23.1.

Seperate dnsmasq configurations and init scripts are used for local ethernet
and the transparently tor-ified wifi access point. The "regular" dnsmasq daemon
is disabled (in /etc/default/dnsmasq). The ethernet daemon makes upstream
requests "as usual" (according to /etc/resolve.conf). The wifi daemon makes
most upstream requests to ttdnsd on port 5354, but forwards .onion domain
requests to Tor on port 5353. It is configured in /etc/dnsmasq_wifi.conf.

The /etc/network/interfaces file makes pre- and post- interface configuration
calls to (re) start the tor, ttdnsd, and dnsmasq daemons.

With the ttdnsd scheme, one will still get warnings in /var/log/tor/notices.log
about IP-only requests:

    Nov 23 17:44:37.000 [warn] Your application (using socks4 to port 53) is
    giving Tor only an IP address. Applications that do DNS resolves themselves
    may leak information. Consider using Socks4A (e.g. via privoxy or socat)
    instead. For more information, please see
    https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.

These can (hopefully) be ignored.

TODO: ttdnsd does not seem to work in a chroot, so the "-c" flag gets passed.