Hello,
Inspired by Tails design documents I'm trying to set up DNS resolving
through Tor with Unbound and ttdnsd. Unfortunately I can't seem to get it
to work... This is what I have done so far:
ls /var/lib/ttdnsd
pid tsocks.conf ttdnsd.conf
cat /var/lib/ttdnsd/tsocks.conf
# This is the configuration for libtsocks (transparent socks) for use
# with tor, which is providing a socks server on port 9050 by default.
#
# See tsocks.conf(5) and torify(1) manpages.
server = 127.0.0.1
server_port = 9050
# We specify local as 127.0.0.0 - 127.191.255.255 because the
# Tor MAPADDRESS virtual IP range is the rest of net 127.
local = 127.0.0.0/255.128.0.0
local = 127.128.0.0/255.192.0.0
cat /var/lib/ttdnsd/ttdnsd.conf
# Google
8.8.8.8
cat /etc/conf.d/ttdnsd
# /etc/conf.d/ttdnsd
# Address to bind to - usually this should be 127.0.0.1
# unless a copy of ttdnsd runs on 127.0.0.n
ADDR_ARG="-b 127.0.0.2"
# Port to listen on - almost always this should be port 53
# unless an additional local DNS cache (like unbound, dnscache, pdnsd)
# listen on port 53 as system resolver and is used in front of ttdnsd
# for caching purposes.
PORT_ARG="-p 53"
# Debug logging
DEBUG_LOGGING="-l"
# Glue all of it together below
DEFAULTS="$ADDR_ARG $PORT_ARG $DEBUG_LOGGING"
cat /etc/rc.d/ttdnsd
#!/bin/bash
. /etc/rc.conf
. /etc/rc.d/functions
# source application-specific settings
[ -f /etc/conf.d/ttdnsd ] && . /etc/conf.d/ttdnsd
PID=`pidof -o %PPID /usr/sbin/ttdnsd`
case "$1" in
start)
stat_busy "Starting Tor TCP DNS Daemon"
[ -z "$PID" ] && /usr/sbin/ttdnsd -P /run/ttdnsd.pid -f
/etc/ttdnsd.conf -C /var/lib/ttdnsd $DEFAULTS &> /dev/null
if [ $? -gt 0 ]; then
stat_fail
else
add_daemon ttdnsd
stat_done
fi
;;
stop)
stat_busy "Stopping Tor TCP DNS Daemon"
# [ ! -z "$PID" ] && kill -INT $PID &> /dev/null
[ ! -z "$PID" ] && kill $PID &> /dev/null
if [ $? -gt 0 ]; then
stat_fail
else
[ -f /run/ttdnsd.pid ] && rm -f /run/ttdnsd.pid
rm_daemon ttdnsd
stat_done
fi
;;
restart)
$0 stop
sleep 3
$0 start
;;
*)
echo "usage: $0 {start|stop|restart}"
esac
exit 0
# vim: ft=sh ts=2 sw=2
cat /etc/unbound/unbound.conf
server:
username: "unbound"
directory: "/etc/unbound"
use-syslog: yes
verbosity: 0
interface: 127.0.0.1
chroot: ""
jostle-timeout: 8000
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.2@53
cat /etc/iptables/rules.tor
#!/bin/sh
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Established incoming connections are accepted.
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Traffic on the loopback interface is accepted.
iptables -A INPUT -i lo -j ACCEPT
# Established outgoing connections are accepted.
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Internal network connections are accepted.
iptables -A OUTPUT -d 127.0.0.0/255.0.0.0 -j ACCEPT
# Local network connections should not go through Tor but DNS shall be
# rejected.
iptables -N lan
iptables -A lan -p TCP --dport domain -j REJECT
iptables -A lan -p UDP --dport domain -j REJECT
iptables -A lan -j ACCEPT
# Sort out traffic to local network
# Note that we exclude the VirtualAddrNetwork used for .onion:s here.
iptables -A OUTPUT -d 192.168.0.0/255.255.0.0 -j lan
iptables -A OUTPUT -d 10.0.0.0/255.0.0.0 -j lan
iptables -A OUTPUT -d 172.16.0.0/255.240.0.0 -j lan
# Tor is allowed to do anything it wants to.
iptables -A OUTPUT -m owner --uid-owner tor -j ACCEPT
# i2p is allowed to do anything it wants to.
iptables -A OUTPUT -m owner --uid-owner i2p -j ACCEPT
# Everything else is dropped.
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# .onion mapped addresses redirection to Tor.
iptables -t nat -A OUTPUT -d 127.192.0.0/255.192.0.0 -p tcp -m tcp -j
REDIRECT --to-ports 9040
cat /etc/tor/torrc
## Replace this with "SocksPort 0" if you plan to run Tor only as a
## server, and not make any local application connections yourself.
## Uncomment this to mirror the directory for others (please do)
#DirPort 9030 # what port to advertise for directory connections
## If you want to listen on a port other than the one advertised
## in DirPort (e.g. to advertise 80 but bind 9091), uncomment the line
## below. You'll need to do ipchains or other port forwarding yourself
## to make this work.
#DirBindAddress 0.0.0.0:9091
## A comma-separated list of exit policies. They're considered first
## to last, and the first match wins. If you want to *replace*
## the default exit policy, end this with either a reject *:* or an
## accept *:*. Otherwise, you're *augmenting* (prepending to) the
## default exit policy. Leave commented to just use the default, which is
## available in the man page or at http://tor.eff.org/documentation.html
##
## Look at http://tor.eff.org/faq-abuse.html#TypicalAbuses
## for issues you might encounter if you use the default exit policy.
##
## If certain IPs and ports are blocked externally, e.g. by your firewall,
## you should update your exit policy to reflect this -- otherwise Tor
## users will be told that those destinations are down.
##
#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
#ExitPolicy accept *:119 # accept nntp as well as default exit policy
#ExitPolicy reject *:* # middleman only -- no exits allowed
## Local settings
## Torified DNS
DNSPort 8853
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion
## Transparent proxy
TransPort 9040
TransListenAddress 127.0.0.1
## Misc
AvoidDiskWrites 1
## We don't care if applications do their own DNS lookups since our Tor
## enforcement will handle it safely.
WarnUnsafeSocks 0
## Default list for 0.2.1.30 + 6523 (gobby)
LongLivedPorts 21,22,706,1863,5050,5190,5222,5223,6523,6667,6697,8300
tail -n 2 /etc/dhcpcd.conf
# Don't overwrite resolv.conf
nohook resolv.conf
cat /etc/resolv.conf
# Generated by dhcpcd from wlan0
# /etc/resolv.conf.head can replace this line
nameserver 127.0.0.1
# /etc/resolv.conf.tail can replace this line
I'm starting all the above services but DNS resolving doesn't work (tested
with dig). From what I understand ttdnsd should run as a demon and ps -A |
grep ttdnsd shows it just after starting it. But shortly afterwards ps says
that there is no process like that.
I would appreciate any help with this set-up as I'm grinding my teeth on it
for the better part of the day now.
Sit vis vobiscum!
T.
_______________________________________________
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
