DNS over Tor

stoically edited this page Apr 30, 2018 · 92 revisions

⚠️ Please READ THIS to understand why DNS over Tor might be a bad idea after all!


If you want to protect your - unencrypted by default - DNS requests from easily being collected by your ISP or another Adversary between you and your DNS server, you can easily setup pihole to use Tor for hostname resolving. Using DNS over Tor anonymizes your IP by using Onion-Routing.

⚠️ Attention

Please be aware that your ISP or an Adversary still can collect what Websites you visit by capturing HTTP (plaintext) or HTTPS (SNI) packets or by trying to reverse lookup or whois the IPs you're connecting to. To avoid that you might want to consider to additionally route your Browser traffic over Tor.

Also keep in mind that even Tor can't provide 100% anonymity, for example correlation attacks are possible. Although it's almost impossible to execute such an attack for e.g. your ISP or a random service on the internet - you might need to change some of your habits to get the most out of Tor.

Setup

Should work on most recent Debian derivatives (raspbian, Ubuntu). Alternatively you can follow a Tor Installation Guide for your Host System.

sudo apt install tor

Edit /etc/tor/torrc as root, include the following line at the end and save the changes

DNSPort 127.0.10.1:53

Restart Tor

sudo service tor restart

Change your pihole upstream DNS server to use 127.0.10.1 in the pihole WebGUI (Settings) under "Upstream DNS Servers" and click "Save".

Note: It's currently not possible to change the Upstream DNS Server directly in the /etc/pihole/setupVars.conf file, the pihole DNS Server won't pick up the change.

If you want a recognizable hostname for the Tor DNS in your pihole GUI statistics, edit /etc/hosts as root, include the following line at the end and save the changes

127.0.10.1     tor.dns.local

Restart pihole DNS Server for the /etc/hosts changes to take effect

sudo pihole restartdns

That's it.

Make sure it works

To see which DNS servers you're using, you can use a DNS Server Leak Test. Some of them don't work with DNS over Tor, this one does work tho. It should show random DNS Servers. Tor rotates the circuit approximately every 10minutes in default configuration - so it might take 10minutes for you to see a new set of random DNS servers in the Leak Test.

You can also check the "Forward Destinations over Time" Graph (enabled per default) in your pihole WebGUI - the latest Forward Destinations should only include "local" and "tor.dns.local" (if you updated the /etc/hosts file).

To absolutely make sure that you always use the pihole as DNS Server and to make sure that it handles IPv4 and/or IPv6 blocking if you configured it to do so, you should check which DNS Servers your client is using: nmcli device show <interface> | grep .DNS (Linux) or ipconfig /all (Windows, and look for DNS Servers on your LAN Adapter). You should then issue a IPv4 (A) and/or IPv6 (AAAA) DNS query to every IPv4 and/or IPv6 DNS Server that shows up: dig @<IPv4/6-dns-server-address> api.mixpanel.com <A/AAAA> (Linux) or nslookup -server=<IPv4/6-dns-server-address> -q=<A/AAAA> api.mixpanel.com (Windows) - that should give you the pihole IPv4 and/or IPv6 address as Answer and show up as "Pi-holed" in the WebGUI Query Log (assuming you have the default blocklist, otherwise replace api.mixpanel.com by any domain on your blocklist). If any of the queries doesn't show up in the Query Log you should make sure to configure your pihole/network setup properly (this thread might help).


Route Browser Traffic over Tor

To enhance your privacy you might want to route all or part of your Browser Traffic over Tor.

Tor Browser

The easiest and most reliable solution would be to use the Tor Browser. Though that won't use your pihole DNS Server out of the box. You can however disable Proxy DNS when using SOCKS v5 in Tor Browsers Preferences -> Advanced -> Network -> Settings and make sure to point your system to use pihole with DNS over Tor activated.

Your Browser

Edit /etc/tor/torrc on your pihole as root, include the following line at the end and save the changes

SocksPort 0.0.0.0:9050

Note: You should make sure that only your LAN devices are able to access your pihole on port 9050.

Restart Tor

sudo service tor restart

Point your browser to use your pihole IP or Hostname (e.g. pi.hole) and Port 9050 as Socks5 Proxy. Do not enable Proxy DNS when using SOCKS v5 and make sure to point your system to use pihole with DNS over Tor activated

If you use a Proxy Add-on/Extension you can also e.g. route everything per default over Tor and only whitelist some sites that you need to perform really good.

Access .onion addresses

If you want to access .onion addresses with this kind of setup you have to activate Transparent Access to Tor Hidden Services on the pihole host.


Notes

General

  • Don't define other regular Upstream DNS Servers than the Tor one if you want to avoid that your pihole makes plaintext DNS requests.

  • From the Tor Manual regarding DNSPort:

    This port only handles A, AAAA, and PTR requests
    

Bad Relays, Phishing, Scam

  • Tor has the concept of Bad Relays and tries to avoid that Tor Relays become Bad Exit Nodes (which are a form of Relay) by monitoring their behavior before declaring them as Exit Node. But it still can happen and since anyone can run a Tor Relay as Exit Node on the Tor Network, this means that an Exit Node owner could fake the answer to a DNS request and redirect you to a malicious website/IP. If you're in a recent Browser and only visit encrypted (HTTPS) sites, that isn't too bad, since the Browser would warn you with an invalid certificate warning (unless someone would hack a Certificate authority or get a CA to issue a certificate without validation - which is both highly unlikely). But other apps on your network that resolve DNS queries via DNS over Tor might either communicate unencrypted or don't validate certificates properly. Such apps could get malicious data injected and/or phish your data without your knowledge.

    So, ideally, only use DNS over Tor if you know for a fact that the apps in your network communicate over a secure connection and properly validate certificates.

    That being said, if you use DNS over Tor in the default configuration (meaning no custom ExitNodes in the torrc), this kind of attack requires a big portion of luck for the attacker (owner of a Bad Exit Node), because you would have to get a circuit routing over the Bad Exit Node in the same moment when using an insecure app (Tor switches the circuit at least every 10minutes in the default configuration). On top of that an attacker must first find an app that has this kind of vulnerability and has valuable data or attack vectors. This is unlikely since most apps out there that handle sensitive data at least communicate over encrypted connections that validate certificates based on system or manual root certs.

    To lower the chances of Bad Exit Nodes you could restrict ExitNodes to trusted ones (country and/or specific). Choosing specific Exit Nodes would basically be the same as e.g. trusting specific DNSCrypt resolvers or Alternative DNS Servers. They might be good, they might be bad, you can't know for sure (unless the DNS answers are DNSSEC signed - but that's most likely not the case for the kinds of app that might get affected by this).

    So in the end it boils down to:

    • Encrypt your DNS traffic using Tor so your ISP can't collect it (but still is able to collect what Websites/IPs you visit unless you route that traffic also over Tor) and the DNS Server won't see your real IP for the price of maybe getting a Bad Exit Node that fakes answers to DNS queries.
      or
    • Use DNSCrypt so your ISP can't collect DNS traffic (but still can collect the websites/IPs you visit unless you route that traffic over Tor), but you have to accept that the DNSCrypt resolver you've chosen might store your DNS queries together with your IP (unless you modify DNSCrypt to route over Tor) and could also turn out to send faked answers to DNS queries. I guess you would call that a Bad DNSCrypt resolver then.
      or
    • Use an unencrypted alternative DNS server (there are a lot of lists out there). In this case your ISP easily can record your DNS traffic and the alternative DNS server can store your DNS queries together with your IP. On top of that your ISP or the alternative DNS could also fake the answer to the DNS queries. That would be a Bad Alternative DNS Server then.
      or
    • Use your ISP DNS server. In this case your ISP gets your DNS traffic for free. On top of that the ISP could also fake answers to DNS queries. Bad ISP DNS Server.

    The bottom line is that you have to weigh up who you trust the most and which risks you are willing to take.

Performance, Reliability and Timeouts

  • You're constantly using new DNS Servers that are located all over the world, so it might happen that sometimes hostname resolving is slow or might not work at all for certain domains. In this cases you have to wait some minutes until you switch to another Tor circuit or configure Tor to accept control connections and send a command that tells Tor to switch circuits immediately. Since I've been using DNS over Tor this was rarely necessary for me but YMMV.

    You could set ExitNodes in your torrc to a specific set of Exit nodes that are reliable for you or use only Exit nodes in a specific country (on Debian derivatives you need to have the tor-geoipdb package installed for that to work) and thus avoid problems with DNS lookups to some extend. But keep in mind that this approach increases the correlation attack vulnerability if you only have a small amount of ExitNodes set or your selected country/s has/have few Exit nodes. If your goal is only to slightly increase security and maintain performance and reliability, this approach might be for you. It is not recommended.

Ok, but please just tell me how to avoid timeouts

Solution 1 - Only use Exit Nodes from specific countries

  • Install the necessary geoip db for Tor to use, on Debian derivatives (raspbian, Ubuntu) that means

    sudo apt install tor-geoipdb
    

    Pick the Country Codes you want to use as ExitNodes from the "List of country codes for Tor" list on this page.

    Edit /etc/tor/torrc as root and, add the following lines to the end and replace CountryCodeN (keep the { and }) with the country code you've chosen (you can also use only one country code, in this case it would be just on {CountryCode1} without a comma).

    ExitNodes {CountryCode1},{CountryCode2},{CountryCode3}
    StrictNodes 1
    

    Save the changes.

    Restart Tor

    sudo service tor restart
    

    Note: Using this approach you put strain on Tor Relays in the selected countries only and increase your security vulnerability. It's not nice and not recommended. Also be aware that this change also affects which Exit Nodes are used if you Route Your Browser Traffic over the pihole host Tor SocksPort.

Solution 2 - Only use specific Exit Nodes

  • Navigate to atlas.torproject.org Top Relays. Click on two Relays out of the list. Make sure the relay allows Port 53 in his IPv4 Exit Policy Summary (and/or IPv6 Exit Policy Summary if you want to resolve IPv6 AAAA queries). As root copy the Fingerprint (Top Right under Relay Details) of those two Relays to the end of your /etc/tor/torrc file on the pihole host in the following format:

    ExitNodes Fingerprint1,Fingerprint2
    StrictNodes 1
    

    Save the changes.

    Restart Tor

    sudo service tor restart
    

    If DNS requests stop resolving at all, you might need to repeat this procedure because the Relays you chosen might've went down.

    Note: Using this approach you put strain on single Tor Relays and increase your security vulnerability. It's not nice and not recommended. Also be aware that this change also affects which Exit Nodes are used if you Route Your Browser Traffic over the pihole host Tor SocksPort.

Hint: You can combine both Solutions and have country codes and fingerprints as ExitNodes.

IPv6

  • DNS over Tor only partially supports IPv6 as of now. This is only a problem if your Router or your ISP don't support IPv4 or you want only IPv6 traffic for another reason - if you have both IPv4 and IPv6 available and you don't plan to visit a IPv6 only service, this is no problem at all.

    In general, if you made sure that you configured your pihole to support IPv6, resolving IPv6 addresses will sometimes work and sometimes not. The reason for this is that Tor Exit nodes only resolve IPv6 queries if they have IPv6Exit 1 set in their configuration. Tor is working on a fix for that - but until that is done and the Tor exit nodes switched to the fixed version, you will run into situations where IPv6 addresses aren't resolvable despite being available in the responsible nameserver. To check whether your current Exit node resolves IPv6 correctly you can run dig example.com aaaa (Linux) or nslookup -q=aaaa example.com (Windows) on your client.

    So if you're dependent on IPv6 and can't use IPv4 at all, your only chance is to configure ExitNodes in your torrc to only point to Exit nodes that resolve IPv6 correctly. But keep in mind that this approach increases the correlation attack vulnerability if you only have a small amount of ExitNodes set.

    Also you can't (afaik) change the internal IPv4 Tor DNS address on the pihole host to an IPv6 one since DNSPort doesn't support that - so you need at least internal IPv4 on your pihole host, which is the default on most host systems.

Exit node fingerprints

  • To get the fingerprint of your current Exit node, you can configure SocksPort 0.0.0.0:9050 in your torrc, restart tor, point your Browser to use your piholes IP and port 9050 as Socks5 proxy, visit e.g. check.torproject.org to get your Exit Node IP, search for that IP on atlas.torproject.org, click on one of the results and it will show the Fingerprint top right under details. These fingerprints can be set as comma separated value for ExitNodes. Don't forget to remove the SocksPort option and restart tor if you don't need it anymore. Also it should be noted that the Exit node you get over SocksPort is not necessarily the same as the one you get when issuing DNS requests over the DNSPort, since Tor internally keeps multiple circuits open. Again, setting ExitNodes manually is not recommended.

DNSSEC

  • A lot of the Exit Nodes configure their DNS Server to support DNSSEC. You can test here whether DNSSEC is enabled for your current DNS Servers.

    If you want to test again by refreshing the site, please be aware of the notes on the site:

    To re-run the above test, you also need to:
    
      Flush the DNS cache of your OS (Windows: ipconfig /flushdns)
      Restart browser or clear browser cache
    

    Flushing Browser/DNS Cache here means restarting pihole (DNS Server), restarting the browser and ideally opening the site in private/incognito mode.

Alternatives

Contribute to the Tor project

  • If you got spare resources consider running a Tor Relay (or Exit) Node to contribute back to the Tor Network. The default installation doesn't do either of these. And/Or consider donating. \ No newline at end of file
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.