The TOR TCP DNS Daemon
a solution for DNS over TOR
Development for ttdnsd moved
https://gitweb.torproject.org/ioerror/ttdnsd.git
ttdnsd is a forwarding nameserver that also bridges between UDP and TCP...
NEWS
THE REASON
ttdnsd exists for a simple reason. I want to run TOR as transparent proxy on my OpenWRT based
router and all solutions for transparent TOR-DNS require some kind of scripting language that don't run nicely on OpenWRT. Also
I wanted to have real DNS over TOR.
HOW IT WORKS
ttdnsd accepts DNS requests via UDP and forwards the to a resolving nameserver via TCP. The actual requests are really just forwarded
so one has complete access to the nameserver ttdnsd is talking to.
ttdnsd only connects to the resolving nameserver after receiving a request via UDP. For each connection ttdnsd randomly selects one of
the nameservers it knows about (see OPTIONS below). The connection will be used for forwarding multiple requests in a pipelined fashion
and is kept open only until no more requests are received via UDP. This pipelining is required to overcome the initial connection overhead
time which is quite long when using TOR.
NAMESERVERS
In order to use ttdnsd you need to find public nameservers that allow recursive resolving and TCP. Finding these kind of nameservers is
quite hard but the TOR website has a good hint OpenDNS. OpenDNS provides public
nameservers that support recursive resolving. There are many other public accessible nameservers around you just need to find them
on your own (or by asking Google).
RUNNING IT
Right now ttdnsd only helps you with running TOR on a router (on a computer that doesn't need to use TOR locally). This is because TOR itself requires DNS to work so you can't replace your
/etc/resolv.conf with a file that points to your ttdnsd server. Solving the problem should be quite easy, but I haven't tried it yet!
Since v0.2 ttdnsd can also be used for DNS over tor for a single computer. This is done via LD_PRELOAD=libttdnstor.so.1 for the tor binary (/usr/sbin/tor). This enables normal DNS lookups for tor itself while all other
DNS requests are handled by ttdnsd.
ttdnsd requires torify in order to access the TOR network. Torify is part of TOR but requires tsocks
(tsocks is a SOCKS wrapper). For normal non-embedded distributions torify and tsocks are not an issue since they are included and automatically
installed with TOR.
ttdnsd also requires a list of nameservers to forward to. The list is a simple file containing one IP address per line. The list of course
needs to contain at least one IP address.
torify ttdnsd -f /etc/ttdnsd.servers
You may also want to run a DNS cache to improve the performance of ttdnsd.
OPTIONS
-b local ip bind to local ip
-f dns file filename to read dns server ip(s) from
-c DON'T chroot(2) to /var/run/ttdnsd
-d DEBUG don't fork/chroot and print debug
-l don't log to /var/run/ttdnsd/ttdnsd.debug
TTDNSD AND OPENWRT
install: ttdnsd, tor, tsocks (provides socks for ttdnsd), and ntpclient (tor likes to know the current time)
The short description for people who know stuff:
dnsmasq resolves via ttdnsd, ttdnsd connects to it's nameservers via tor, therefore, dnsmasq and tor listen on the LAN interface of the router and
ttdnsd on loopback.
The long description (needs more details):
dnsmasq
create file: echo nameserver 127.0.0.1 > /etc/resolv.conf.dnsmasq
edit file: /etc/resolv.conf.dnsmasq into /etc/dnsmasq.conf
run: dnsmasq -I vlan1 -i LAN_IF -a
tor/torify/tsocks
make sure: that /etc/resolv.conf points to your ISP nameservers
edit: /etc/tor/torrc to make tor bind to the routers LAN_IP
edit: torrc to create tmp files in /tmp/tor
edit: /etc/tor/tor-tsocks.conf to point tsocks to your routers LAN_IP
run: tor
ttdnsd
create directory: mkdir -p /var/run/ttdnsd/etc/tor
copy: /etc/tor/tor-tsocks.conf to /var/run/ttdnsd/etc/tor
edit: put the IPs of the nameserver(s) you want ttdnsd to use in /etc/ttdnsd.conf (one on each line)
run: torify /jffs/usr/sbin/ttdnsd -f /etc/ttdnsd.conf -b 127.0.0.1
TTDNSD FOR LOCAL COMPUTER
create resolv.conf for tor (e.g. /etc/resolv.conf.tor) containing your real nameservers: cp /etc/resolv.conf /etc/resolv.conf.tor
create new resolv.conf for your local applications: echo "nameserver 127.0.0.1" >/etc/resolv.conf
tell libttdnstor.so where to find resolv.conf for tor: export TTDNSD_REALRESOLVCONF=/etc/resolv.conf.tor
start ttdnsd: torify ttdnsd -b 127.0.0.1 -f /etc/ttdnsd.conf
start tor: LD_PRELOAD=FULLPATH_TO_libttdnstor.so.1 /usr/sbin/tor
PRIVACY
In order to improve it's performance ttdnsd keeps the connection to the resolving nameservers open as long as possible, therefore forwarding all
dns queries to that one nameserver. Because of this somebody who can see all the traffic between the TOR-exitnode used for that particular
connection and the DNS server can monitor all dns requests of a particular session.
Also ttdnsd will use a different nameserver for each new connection and since all connections go through TOR a different exitnode will be used for
each connection.
Still if this is a problem for you don't use ttdnsd!
SECURITY
ttdnsd uses chroot(2) and setuid/setgid to drop to user NOBODY after binding to port 53.
DOWNLOAD
License is GPLv2
Version 0.2 (22. July 2007)
Version 0.1 (25. Jan. 2007)
CONTACT
TODO
- test more
- test more
- better documentation and howto
- init scripts that do everything for you
updated:
Wed Jun 2 23:10:14 CEST 2010
-[ Home ]-[ Weblog ]-[ Bluetooth ]-[ Windows Mobile ]-[ Symbian ]-[ PalmOS ]-[ J2ME ]-[ Maemo ]-[ Security ]-[ iPhone ]-[ Android ]-[ NFC ]-[ Contact ]-