Pages

Wednesday, 1 July 2020

TOR TCP DNS Daemon

a solution for DNS over TOR



Development for ttdnsd moved https://gitweb.torproject.org/ioerror/ttdnsd.git


ttdnsd is a forwarding nameserver that also bridges between UDP and TCP...

NEWS

THE REASON
    ttdnsd exists for a simple reason. I want to run TOR as transparent proxy on my OpenWRT based router and all solutions for transparent TOR-DNS require some kind of scripting language that don't run nicely on OpenWRT. Also I wanted to have real DNS over TOR.

HOW IT WORKS
    ttdnsd accepts DNS requests via UDP and forwards the to a resolving nameserver via TCP. The actual requests are really just forwarded so one has complete access to the nameserver ttdnsd is talking to.

    ttdnsd only connects to the resolving nameserver after receiving a request via UDP. For each connection ttdnsd randomly selects one of the nameservers it knows about (see OPTIONS below). The connection will be used for forwarding multiple requests in a pipelined fashion and is kept open only until no more requests are received via UDP. This pipelining is required to overcome the initial connection overhead time which is quite long when using TOR.

NAMESERVERS
    In order to use ttdnsd you need to find public nameservers that allow recursive resolving and TCP. Finding these kind of nameservers is quite hard but the TOR website has a good hint OpenDNS. OpenDNS provides public nameservers that support recursive resolving. There are many other public accessible nameservers around you just need to find them on your own (or by asking Google).

RUNNING IT
    Right now ttdnsd only helps you with running TOR on a router (on a computer that doesn't need to use TOR locally). This is because TOR itself requires DNS to work so you can't replace your /etc/resolv.conf with a file that points to your ttdnsd server. Solving the problem should be quite easy, but I haven't tried it yet!

    Since v0.2 ttdnsd can also be used for DNS over tor for a single computer. This is done via LD_PRELOAD=libttdnstor.so.1 for the tor binary (/usr/sbin/tor). This enables normal DNS lookups for tor itself while all other DNS requests are handled by ttdnsd.

    ttdnsd requires torify in order to access the TOR network. Torify is part of TOR but requires tsocks (tsocks is a SOCKS wrapper). For normal non-embedded distributions torify and tsocks are not an issue since they are included and automatically installed with TOR.

    ttdnsd also requires a list of nameservers to forward to. The list is a simple file containing one IP address per line. The list of course needs to contain at least one IP address.

      torify ttdnsd -f /etc/ttdnsd.servers

    You may also want to run a DNS cache to improve the performance of ttdnsd.

OPTIONS
            -b      local ip      bind to local ip
            -f      dns file      filename to read dns server ip(s) from
            -c                    DON'T chroot(2) to /var/run/ttdnsd
            -d                    DEBUG don't fork/chroot and print debug
    	-l		      don't log to /var/run/ttdnsd/ttdnsd.debug
    
    

TTDNSD AND OPENWRT
    install: ttdnsdtortsocks (provides socks for ttdnsd), and ntpclient (tor likes to know the current time)

    The short description for people who know stuff:
      dnsmasq resolves via ttdnsd, ttdnsd connects to it's nameservers via tor, therefore, dnsmasq and tor listen on the LAN interface of the router and ttdnsd on loopback.


    The long description (needs more details):
    dnsmasq
      create file: echo nameserver 127.0.0.1 > /etc/resolv.conf.dnsmasq
      edit file: /etc/resolv.conf.dnsmasq into /etc/dnsmasq.conf
      run: dnsmasq -I vlan1 -i LAN_IF -a

    tor/torify/tsocks
      make sure: that /etc/resolv.conf points to your ISP nameservers
      edit: /etc/tor/torrc to make tor bind to the routers LAN_IP
      edit: torrc to create tmp files in /tmp/tor
      edit: /etc/tor/tor-tsocks.conf to point tsocks to your routers LAN_IP
      run: tor

    ttdnsd
      create directory: mkdir -p /var/run/ttdnsd/etc/tor
      copy: /etc/tor/tor-tsocks.conf to /var/run/ttdnsd/etc/tor
      edit: put the IPs of the nameserver(s) you want ttdnsd to use in /etc/ttdnsd.conf (one on each line)
      run: torify /jffs/usr/sbin/ttdnsd -f /etc/ttdnsd.conf -b 127.0.0.1


TTDNSD FOR LOCAL COMPUTER
    create resolv.conf for tor (e.g. /etc/resolv.conf.tor) containing your real nameservers: cp /etc/resolv.conf /etc/resolv.conf.tor
    create new resolv.conf for your local applications: echo "nameserver 127.0.0.1" >/etc/resolv.conf
    tell libttdnstor.so where to find resolv.conf for tor: export TTDNSD_REALRESOLVCONF=/etc/resolv.conf.tor
    start ttdnsd: torify ttdnsd -b 127.0.0.1 -f /etc/ttdnsd.conf
    start tor: LD_PRELOAD=FULLPATH_TO_libttdnstor.so.1 /usr/sbin/tor

PRIVACY
    In order to improve it's performance ttdnsd keeps the connection to the resolving nameservers open as long as possible, therefore forwarding all dns queries to that one nameserver. Because of this somebody who can see all the traffic between the TOR-exitnode used for that particular connection and the DNS server can monitor all dns requests of a particular session.

    Also ttdnsd will use a different nameserver for each new connection and since all connections go through TOR a different exitnode will be used for each connection.

    Still if this is a problem for you don't use ttdnsd!

SECURITY
    ttdnsd uses chroot(2) and setuid/setgid to drop to user NOBODY after binding to port 53.

DOWNLOAD
CONTACT
    collin(AT)mulliner.org
    from 
http://www.mulliner.org/collin/ttdnsd.php
--------------------

ttdnsd : The TOR TCP DNS Daemon

ttdnsd is a small dns resolver for TOR which I wrote during the last two weeks. It basically bridges DNS from UDP to TCP to allow DNS requests using the TOR network. I know that there are other solutions for doing DNS over TOR but non of the solutions I know about are usable on small hardware like a router that runs OpenWRT. ttdnsd is made to run on this kind of hardware (about 600 lines of C).

Feel invited to comment and report bugs.

No comments:

Post a Comment