[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor with ttdnsd and unbound

Hello,

Inspired by Tails design documents I'm trying to set up DNS resolving
through Tor with Unbound and ttdnsd. Unfortunately I can't seem to get it
to work... This is what I have done so far:

ls /var/lib/ttdnsd
pid  tsocks.conf  ttdnsd.conf

cat /var/lib/ttdnsd/tsocks.conf
# This is the configuration for libtsocks (transparent socks) for use
# with tor, which is providing a socks server on port 9050 by default.
#
# See tsocks.conf(5) and torify(1) manpages.

server = 127.0.0.1
server_port = 9050

# We specify local as 127.0.0.0 - 127.191.255.255 because the
# Tor MAPADDRESS virtual IP range is the rest of net 127.
local = 127.0.0.0/255.128.0.0
local = 127.128.0.0/255.192.0.0


cat /var/lib/ttdnsd/ttdnsd.conf
# Google
8.8.8.8

cat /etc/conf.d/ttdnsd
# /etc/conf.d/ttdnsd

# Address to bind to - usually this should be 127.0.0.1
# unless a copy of ttdnsd runs on 127.0.0.n
ADDR_ARG="-b 127.0.0.2"

# Port to listen on - almost always this should be port 53
# unless an additional local DNS cache (like unbound, dnscache, pdnsd)
# listen on port 53 as system resolver and is used in front of ttdnsd
# for caching purposes.
PORT_ARG="-p 53"

# Debug logging
DEBUG_LOGGING="-l"

# Glue all of it together below
DEFAULTS="$ADDR_ARG $PORT_ARG $DEBUG_LOGGING"

cat /etc/rc.d/ttdnsd
#!/bin/bash

. /etc/rc.conf
. /etc/rc.d/functions

# source application-specific settings
[ -f /etc/conf.d/ttdnsd ] && . /etc/conf.d/ttdnsd

PID=`pidof -o %PPID /usr/sbin/ttdnsd`
case "$1" in
  start)
    stat_busy "Starting Tor TCP DNS Daemon"
    [ -z "$PID" ] && /usr/sbin/ttdnsd -P /run/ttdnsd.pid -f
/etc/ttdnsd.conf -C /var/lib/ttdnsd $DEFAULTS &> /dev/null
    if [ $? -gt 0 ]; then
      stat_fail
    else
      add_daemon ttdnsd
      stat_done
    fi
    ;;
  stop)
    stat_busy "Stopping Tor TCP DNS Daemon"
#   [ ! -z "$PID" ] && kill -INT $PID &> /dev/null
    [ ! -z "$PID" ] && kill      $PID &> /dev/null
    if [ $? -gt 0 ]; then
      stat_fail
    else
      [ -f /run/ttdnsd.pid ] && rm -f /run/ttdnsd.pid
      rm_daemon ttdnsd
      stat_done
    fi
    ;;
  restart)
    $0 stop
    sleep 3
    $0 start
    ;;
  *)
    echo "usage: $0 {start|stop|restart}"
esac
exit 0
# vim: ft=sh ts=2 sw=2


cat /etc/unbound/unbound.conf
server:
  username: "unbound"
  directory: "/etc/unbound"
  use-syslog: yes
  verbosity: 0
  interface: 127.0.0.1
  chroot: ""
  jostle-timeout: 8000
  do-not-query-localhost: no

forward-zone:
 name: "."
 forward-addr: 127.0.0.2@53

cat /etc/iptables/rules.tor
#!/bin/sh

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Established incoming connections are accepted.
 iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Traffic on the loopback interface is accepted.
iptables -A INPUT -i lo -j ACCEPT

# Established outgoing connections are accepted.
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Internal network connections are accepted.
iptables -A OUTPUT -d 127.0.0.0/255.0.0.0 -j ACCEPT

# Local network connections should not go through Tor but DNS shall be
# rejected.
iptables -N lan
iptables -A lan -p TCP --dport domain -j REJECT
iptables -A lan -p UDP --dport domain -j REJECT
iptables -A lan -j ACCEPT

# Sort out traffic to local network
# Note that we exclude the VirtualAddrNetwork used for .onion:s here.
iptables -A OUTPUT -d 192.168.0.0/255.255.0.0 -j lan
iptables -A OUTPUT -d 10.0.0.0/255.0.0.0 -j lan
iptables -A OUTPUT -d 172.16.0.0/255.240.0.0 -j lan

# Tor is allowed to do anything it wants to.
iptables -A OUTPUT -m owner --uid-owner tor -j ACCEPT

# i2p is allowed to do anything it wants to.
iptables -A OUTPUT -m owner --uid-owner i2p -j ACCEPT

# Everything else is dropped.
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable


iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

# .onion mapped addresses redirection to Tor.
iptables -t nat -A OUTPUT -d 127.192.0.0/255.192.0.0 -p tcp -m tcp -j
REDIRECT --to-ports 9040


cat /etc/tor/torrc
## Replace this with "SocksPort 0" if you plan to run Tor only as a
## server, and not make any local application connections yourself.

## Uncomment this to mirror the directory for others (please do)
#DirPort 9030 # what port to advertise for directory connections
## If you want to listen on a port other than the one advertised
## in DirPort (e.g. to advertise 80 but bind 9091), uncomment the line
## below. You'll need to do ipchains or other port forwarding yourself
## to make this work.
#DirBindAddress 0.0.0.0:9091

## A comma-separated list of exit policies. They're considered first
## to last, and the first match wins. If you want to *replace*
## the default exit policy, end this with either a reject *:* or an
## accept *:*. Otherwise, you're *augmenting* (prepending to) the
## default exit policy. Leave commented to just use the default, which is
## available in the man page or at http://tor.eff.org/documentation.html
##
## Look at http://tor.eff.org/faq-abuse.html#TypicalAbuses
## for issues you might encounter if you use the default exit policy.
##
## If certain IPs and ports are blocked externally, e.g. by your firewall,
## you should update your exit policy to reflect this -- otherwise Tor
## users will be told that those destinations are down.
##
#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
#ExitPolicy accept *:119 # accept nntp as well as default exit policy
#ExitPolicy reject *:* # middleman only -- no exits allowed

## Local settings

## Torified DNS
DNSPort 8853
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion

## Transparent proxy
TransPort 9040
TransListenAddress 127.0.0.1

## Misc
AvoidDiskWrites 1

## We don't care if applications do their own DNS lookups since our Tor
## enforcement will handle it safely.
WarnUnsafeSocks 0

## Default list for 0.2.1.30 + 6523 (gobby)
LongLivedPorts 21,22,706,1863,5050,5190,5222,5223,6523,6667,6697,8300

 tail -n 2 /etc/dhcpcd.conf
# Don't overwrite resolv.conf
nohook resolv.conf

cat /etc/resolv.conf
# Generated by dhcpcd from wlan0
# /etc/resolv.conf.head can replace this line
nameserver 127.0.0.1
# /etc/resolv.conf.tail can replace this line

I'm starting all the above services but DNS resolving doesn't work (tested
with dig). From what I understand ttdnsd should run as a demon and ps -A |
grep ttdnsd shows it just after starting it. But shortly afterwards ps says
that there is no process like that.
I would appreciate any help with this set-up as I'm grinding my teeth on it
for the better part of the day now.

Sit vis vobiscum!
T.
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk