[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor with ttdnsd and unbound

On 04/29/2012 12:15 PM, Ondrej Mikle wrote:
> On 04/29/2012 03:49 PM, Tom wrote:
>> On 29 April 2012 12:53, anonym <anonym@xxxxxxxxxxx> wrote:
>>> So, you have to switch from using Google's DNS (which blocks Tor
>>> nowadays) to OpenDNS or whatever DNS server you trust. You'll still be
>>> unable to do multiple DNS requests at a time, though.
>>  Yes, you are right! So for now I'm scraping the ttdns+unbound idea, at
>> least until ttdnsd won't be fixed or, until (hopefully!) Tor won implement
>> it's own DNS tools [1].
>> Is there any other way to reliably resolve DNS queries through Tor?
> I wrote a HOWTO for DNS/DNSSEC over Tor with unbound+socat (IMHO if you're using
> unbound, drop ttdnsd altogether):
> https://labs.nic.cz/page/993/dnssec-validation-over-tor--linux-/
> Click 'English' on top of the page if you get Czech version (it takes language
> preferences from headers sent by browser; Referer sending must enabled in
> browser in order the language switch to work).

I'm the current maintainer of ttdnsd and I fully support using something
that isn't such a hack.

I know that Paul Wouters and another unbound developer hacked together a
udp/tcp listener that only made outbound TCP connections. I think I made
some notes in the ttdnsd git repo at one point.

There was a patch that needed to be applied to unbound but I believe it
is now merged. If that is the case, I think that unbound and either
TransPort + iptables, socat, torsocks and unbound would be the best path

> I'm also working now on DNS/DNSSEC as Tor hidden service over TLS, I'll post the
> HOWTO in couple of days.

That sounds interesting.

>> [1] https://lists.torproject.org/pipermail/tor-dev/2012-March/003341.html
> The above proposal/implementation will take a while to finish, I've run into
> some technical quirks that need to be resolved (in order to have it working
> reasonably fast and not shoot yourself in foot with some stupid design/coding
> mistake).


> That's also the reason I decided to try the "DNS as hidden service over TLS"
> approach.

I think this doesn't scale very well but it's never the less quite
interesting as well!

All the best,
tor-talk mailing list