Dealing with DNS Leaks

The Problem

When an application connects to a server on the Internet, it needs to resolve hostnames (i.e., www.antagonism.org) to IP addresses. To do this, the application sends the hostname to a DNS server for resolution. The DNS server sends the IP address for the hostname back to the application. This is normal business and is good for every day use. However, it is bad for business when you wish to conduct anonymous connections.

Let's examine an example of why DNS leaks are bad for anonymous connections. Let's say you exist in an oppressive regime and wish to browse a web site on the rergime's forbidden list. Your computer needs to resolve the hostname for forbidden web site, so it sends a request to its DNS resolver. The regime true to its repressive nature is monitoring the DNS servers for requests for forbidden sites. It correlates the request for the banned site with your IP address and stops by to arrest you for violating the law even though you made the connection using an anonymizing tool, such as Tor .

---

Solutions

There are a couple of solutions to the issue of DNS leaks. The most common is the use of a SOCKS proxy. The second solution is to send your DNS requests through the Tor network. Due the possiblity of applications either not supporting SOCKS or implementing it poorly, I highly recommend you employ both solutions.

SOCKS proxy

A SOCKS proxy operates as a transparent proxy to allow client-server applications to reach resources which may not be accessible otherwise. The Tor application provides a SOCKS proxy (listening by default on localhost:9050) to allow applications which support SOCKS to access the Tor network.

When using SOCKS 4a, you are able to provide hostnames, which Tor will resolve through the Tor network. Thus, your DNS requests are anonymized and the problem mentioned above is avoided. To allow those applications which support SOCKS to access TOR, one simply needs to configure the application to use the SOCKS proxy which the Tor application runs or a HTTP proxy which supports SOCKS (i.e. privoxy or polipo ). The following page covers how to configure many applications with Tor in order to prevent DNS leaks.

Sending DNS requests through Tor

There are several problems which exist with the above solution. First, not all applications support SOCKS. This means you can not anonymize their DNS requests with the above method. Second, even though an application claims to support SOCKS, it may implement it incorrectly and still leak DNS requests. This page details how to determine if your application using SOCKS still leaks DNS requests. Lastly, the above method requires you to hand configure each and every application. While this may be a viable solution for a handful of machines, as the number of machines grows larger, the solution becomes more unwieldly.

Transparently proxying DNS requests will resolve the problems mentioned with the previous solutions. It will handle DNS requests for applications which either do not support SOCKS or implement it poorly and since it transparently proxies the requests, you do not have to configure each individual machine. There are two methods to do this. The first is to use your firewall software (iptables, pf) to redirect DNS requests from your network to dns-proxy-tor (note the previous link is only accessible through Tor). The second method is to use the your firewall software to redirect DNS requests from your network to the DNSPort of a server running Tor version 0.2.0.1-alpha or later. Since the 0.2.x series is still not considered stable, this example will cover the former.

Assumptions

For purposes of this example, the following assumptions are in effect:

• The router's internal IP address is 192.168.1.1.
• The internal network is 192.168.1.0/24.
• Tor runs on the router.
• The router's internal interface is eth0.
• TOr's data directory is /var/lib/tor and owned by tor.tor.
• The UID of the Tor user is 100.

Installing dns-proxy-tor

In the Tor 0.1.x series, we need a proxy server to handle DNS requests which we wish to remain anonymous. dns-proxy-tor is just such a proxy server. With Tor 0.2.x, such a proxy server is not needed. This page covers how to make DNS requests anonymous with Tor 0.2.x. Below are instructions on how to install dns-proxy-tor .

% wget -c http://p56soo2ibjkx23xo.onion/trans-proxy-tor-0.1.0.tar.gz
% tar zxvf trans-proxy-tor-0.1.0.tar.gz
% cd trans-proxy-tor-0.1.0
% sudo cp dns-proxy-tor /usr/local/bin/dns-proxy-tor
% sudo chmod 755 /usr/local/bin/dns-proxy-tor
% sudo chown root.root /usr/local/bin/dns-proxy-tor

 

Router Configuration

The router will need the changes below added to its torrc file. With these changes made, the router will be able to capture DNS traffic sent through it, redirect it to dns-proxy-tor and from there send the DNS request through the Tor network.

VirtualAddrNetwork 10.192.0.0/10
ControlPort 9051
CookieAuthentication 1
TransPort 9040
TransListenAddress 127.0.0.1
TransListenAddress 192.168.1.1

 

 

Before you make these changes to torrc, be sure you understand what the options do. The torrc options configured above do the following:

• "VirtualAddrNetwork 10.192.0.0/10" sets the virtual (unused) address space to 10.192.0.0/10. This means when the controller asks for a virtual address with the MAPADDRESS command, Tor will provide an address from this range. When using dns-proxy-tor to provide a proxy service for the network, this needs to be set to either the above or "172.16.0.0/12".
• "ControlPort 9051" set the control port to 9051 on the localhost. This port allows process to control Tor using the Tor Control Protocol.
• "CookieAuthentication 1" prevents any connections to the control port which do not know the contents of the "control_auth_cookie" file located in Tor's data directory.
• "TransPort 9040" sets the transparent proxy port to 9040.
• "TransListenAddress 127.0.0.1" and "TransListenAddress 192.168.1.1" has the transparent proxy listen at the following addresses on the port specified by "TransPort".

The Tor manual covers these options and many more. On making these additions to torrc, you need to restart Tor. The below example demonstrates how to restart Tor for RedHat systems.

% sudo /sbin/service tor restart

 

 

Once you have Tor configured, you need to start dns-proxy-tor . The example below demonstrates how to start dns-proxy-tor .

# dns-proxy-tor -b 192.1681.1.1:53 -t 127.0.0.1:9051 -s 127.0.0.1:9050 \
-c /var/lib/tor -k /var/lib/tor -u tor:tor -p /var/run/dns-proxy-tor.pid

 

 

Before starting dns-proxy-tor , make sure you understand what the command does. The dns-proxy-tor options configured above do the following:

• "-b 192.168.1.1:53" binds dns-proxy-tor to 192.168.1.1 on port 53. If the port is less than 1024, the command must be run as root.
• "-t 127.0.0.1:9051" has dns-proxy-tor send "MAPADDRESS" Tor controller commands to Tor on localhost, port 9051. This address/port combination should match the address/port combination specified by the "ControlPort" option in the torrc.
• "-s 127.0.0.1:9050" has dns-proxy-tor send SOCKS resolve requests to Tor on localhost, port 9050. This address/port combination should match the address/port combination specified by the "SocksPort" or "SocksListenAddress" options.
• "-c /var/lib/tor" changes the root directory to "/var/lib/tor". This option is only available when run as the root user.
• "-k /var/lib/tor" tells dns-proxy-tor to authenticate to the Tor control port with the "control_auth_cookie" file located in Tor's data directory, "/var/lib/tor". In order to use this option, the "CookieAuthentication" option must be set in torrc.
• "-u tor:tor" tells dns-proxy-tor to drop privileges to the user, "tor" and group, "tor". This option is only available when run as the root user. The user/group should be the same as the user/group which runs Tor. This will allow dns-proxy-tor access to the directories specified by the "-c" and "-k" options.
• "-p /var/run/dns-proxy-tor.pid" writes the PID to the file, "/var/run/dns-proxy-tor.pid".

These options and more may be accessed by reading the Perl documentation associated with dns-proxy-tor . This documentation may be read by running the following commands.

% perldoc /usr/local/bin/dns-proxy-tor

 

 

Below is an example of an iptables script which would handle the redirection of DNS packets sent to external networks to dns-proxy-tor . Note Do not implement this directly on your router unless you understand completely what the commands do. I am not responsible for mistakes which you make on your system by blinding implementing this script.

 

 

#!/bin/sh

# the UID Tor runs as
TOR_UID="100"

# Tor's TransPort
TRANS_PORT="9040"

# your internal interface
INT_IF="eth0"

iptables -F
iptables -t nat -F

iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
iptables -t nat -A OUTPUT -p tcp --syn -j DNAT --to-dest 127.0.0.1:$TRANS_PORT

iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
iptables -A OUTPUT -j REJECT

 

<!-- end /tail.shtml -->