a solution for DNS over TOR
ttdnsd is a forwarding nameserver that also bridges between UDP and TCP...
NEWS
THE REASON
- ttdnsd exists for a simple reason. I want to run TOR as transparent proxy on my OpenWRT based router and all solutions for transparent TOR-DNS require some kind of scripting language that don't run nicely on OpenWRT. Also I wanted to have real DNS over TOR.
HOW IT WORKS
- ttdnsd accepts DNS requests via UDP and forwards the to a resolving nameserver via TCP. The actual requests are really just forwarded so one has complete access to the nameserver ttdnsd is talking to.
ttdnsd only connects to the resolving nameserver after receiving a request via UDP. For each connection ttdnsd randomly selects one of the nameservers it knows about (see OPTIONS below). The connection will be used for forwarding multiple requests in a pipelined fashion and is kept open only until no more requests are received via UDP. This pipelining is required to overcome the initial connection overhead time which is quite long when using TOR.
NAMESERVERS
- In order to use ttdnsd you need to find public nameservers that allow recursive resolving and TCP. Finding these kind of nameservers is quite hard but the TOR website has a good hint OpenDNS. OpenDNS provides public nameservers that support recursive resolving. There are many other public accessible nameservers around you just need to find them on your own (or by asking Google).
RUNNING IT
Since v0.2 ttdnsd can also be used for DNS over tor for a single computer. This is done via LD_PRELOAD=libttdnstor.so.1 for the tor binary (/usr/sbin/tor). This enables normal DNS lookups for tor itself while all other DNS requests are handled by ttdnsd.
ttdnsd requires torify in order to access the TOR network. Torify is part of TOR but requires tsocks (tsocks is a SOCKS wrapper). For normal non-embedded distributions torify and tsocks are not an issue since they are included and automatically installed with TOR.
ttdnsd also requires a list of nameservers to forward to. The list is a simple file containing one IP address per line. The list of course needs to contain at least one IP address.
torify ttdnsd -f /etc/ttdnsd.servers
You may also want to run a DNS cache to improve the performance of ttdnsd.
OPTIONS
-b local ip bind to local ip -f dns file filename to read dns server ip(s) from -c DON'T chroot(2) to /var/run/ttdnsd -d DEBUG don't fork/chroot and print debug -l don't log to /var/run/ttdnsd/ttdnsd.debug
TTDNSD AND OPENWRT
- install: ttdnsd, tor, tsocks (provides socks for ttdnsd), and ntpclient (tor likes to know the current time)
The short description for people who know stuff:
- dnsmasq resolves via ttdnsd, ttdnsd connects to it's nameservers via tor, therefore, dnsmasq and tor listen on the LAN interface of the router and ttdnsd on loopback.
The long description (needs more details):
dnsmasq
- create file: echo nameserver 127.0.0.1 > /etc/resolv.conf.dnsmasq
edit file: /etc/resolv.conf.dnsmasq into /etc/dnsmasq.conf
run: dnsmasq -I vlan1 -i LAN_IF -a
tor/torify/tsocks
- make sure: that /etc/resolv.conf points to your ISP nameservers
edit: /etc/tor/torrc to make tor bind to the routers LAN_IP
edit: torrc to create tmp files in /tmp/tor
edit: /etc/tor/tor-tsocks.conf to point tsocks to your routers LAN_IP
run: tor
ttdnsd
- create directory: mkdir -p /var/run/ttdnsd/etc/tor
copy: /etc/tor/tor-tsocks.conf to /var/run/ttdnsd/etc/tor
edit: put the IPs of the nameserver(s) you want ttdnsd to use in /etc/ttdnsd.conf (one on each line)
run: torify /jffs/usr/sbin/ttdnsd -f /etc/ttdnsd.conf -b 127.0.0.1
TTDNSD FOR LOCAL COMPUTER
- create resolv.conf for tor (e.g. /etc/resolv.conf.tor) containing your real nameservers: cp /etc/resolv.conf /etc/resolv.conf.tor
create new resolv.conf for your local applications: echo "nameserver 127.0.0.1" >/etc/resolv.conf
tell libttdnstor.so where to find resolv.conf for tor: export TTDNSD_REALRESOLVCONF=/etc/resolv.conf.tor
start ttdnsd: torify ttdnsd -b 127.0.0.1 -f /etc/ttdnsd.conf
start tor: LD_PRELOAD=FULLPATH_TO_libttdnstor.so.1 /usr/sbin/tor
PRIVACY
- In order to improve it's performance ttdnsd keeps the connection to the resolving nameservers open as long as possible, therefore forwarding all dns queries to that one nameserver. Because of this somebody who can see all the traffic between the TOR-exitnode used for that particular connection and the DNS server can monitor all dns requests of a particular session.
Also ttdnsd will use a different nameserver for each new connection and since all connections go through TOR a different exitnode will be used for each connection.
Still if this is a problem for you don't use ttdnsd!
SECURITY
- ttdnsd uses chroot(2) and setuid/setgid to drop to user NOBODY after binding to port 53.
DOWNLOAD
- License is GPLv2
Version 0.2 (22. July 2007)
- ttdnsd-0.2.tar.gz (source)
Version 0.1 (25. Jan. 2007)
- ttdnsd-0.1.tar.gz (source)
ttdnsd_0.1-1_mipsel.ipk (mipsel ipk for OpenWRT)
Support files:
tsocks_1.8-1_mipsel.ipk (mipsel ipk for OpenWRT)
tsocks_buildroot_files.tgz (buildroot package files to build your own tsocks package)
- collin(AT)mulliner.org
- from
--------------------
ttdnsd : The TOR TCP DNS Daemon
ttdnsd is a small dns resolver for TOR which I wrote during the last two weeks. It basically bridges DNS from UDP to TCP to allow DNS requests using the TOR network. I know that there are other solutions for doing DNS over TOR but non of the solutions I know about are usable on small hardware like a router that runs OpenWRT. ttdnsd is made to run on this kind of hardware (about 600 lines of C).
Feel invited to comment and report bugs.
No comments:
Post a Comment