[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Yet another UDP / DNS quiestion...

> Could you describe your use case + thread model?

I'm terrible sorry for chaos I'm causing but right now I'm a very small
and confused person :-) Let me start from the beginning...

I'm using Privoxy + Tor combination. For Privoxy to properly handle
TCP/HTTP requests and send them over Tor network I have "listen-address" in my /etc/privoxy/config. Then, to make sure that
Privoxy will be used globally, I added those four lines
to /etc/environment:
Now all TCP/HTTP traffic should go through Privoxy -> Tor combination,
at least in theory. As I understand Wireshark is the tool I should use
to verify if that is what is happening in reality. I compiled Wireshark
but don't understand yet how to use it so I will come back to verify
routing of TCP/HTTP when I understand what I'm doing.
Next, I tried to use torsocks to make sure UDP/DNS requests are resolved
through Tor. To accomplish that I added to /etc/privoxy/config
forward-socks4a   / .
forward-socks5   / .
My /etc/torsocks.conf looks like this:
local =
local =
local =
local =
local =
server =
server_port = 9050
But I have two problems with using torsocks:
1. Not all applications seems to be working with it, for example when I
try "usewithtor empathy" I'm getting "Segmentation fault". Which is
probably due to the problems with rejecting UDP:

torsocks allows you to use most socks-friendly applications in a safe
way with Tor. It ensures that DNS requests are handled safely and
explicitly rejects UDP traffic from the application you're using. (from

2. I would need to "usewithtor" every single application on my system to
make sure DNS requests are resolved through Tor.

Then I came around Transparently Routing Traffic Through Tor
<https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy>. And this is where more confusion and problems started! What I want to achieve with this wiki is to make sure all UDP/DNS request will be send through Tor. Now I intend to follow Local Redirection Through Tor from mentioned wiki to the letter and that will hopefully resolve the case of leaking DNS. 

> # Block/reject all outgoing UDP traffic
> > iptables -A OUTPUT -j REJECT
> This rule does not block UDP only, it rejects all traffic including
> (if a packets makes its way to the last line).
So if I will go ahead with set-up from Local Redirection Through Tor it
will allow out just the traffic going through Tor stopping any and every
kind of no-Tor traffic from leaving my machine. But if I want to allow
traffic from certain applications I could do it by setting up exception
in iptables, right? And furthermore, with this solution there will be no
need for me to use torsocks any more, yes?

> > iptables -A OUTPUT -p udp -m owner --uid-owner $TOR_UID -j ACCEPT
> Why did you add -p udp here? Tor uses TCP.
My mistake! Fixed now.

> I'm wondering why one would want to setup DNSPort configuration without
> TransPort.

That will be lack of knowledge on my part, I missunderstood informations
from wiki. I got confused by this comment
<http://www.hermann-uwe.de/blog/howto-anonymous-communication-with-tor-some-hints-and-some-pitfalls#comment-80205> which doesn't mention TransPort and thus I thought it is not necessary.

> I wonder why your uid should be different everytime you reboot, but you
> can also use the name of the user instead of the numerical value.
Well I can't tell you why but that how it is. To double check I rebooted
twice just now and "ps -A | grep -w tor" each time gave me different UID
for tor.

Tomasz Moskal <ramshackle.industries@xxxxxxxxx>
Encrypted mail preferred. Key ID: 2C323C82

Attachment: signature.asc
Description: This is a digitally signed message part