arno/pi-hole
1
0
Fork 0
mirror of https://github.com/pi-hole/pi-hole synced 2025-02-22 13:02:02 +00:00
Code Issues Releases Wiki Activity

Created DNS over Tor (markdown)

stoically 2018-04-30 19:48:36 +02:00
parent 5cfa04fcb2
commit a0fb3f0497
1 changed files with 218 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

218
DNS-over-Tor.md Normal file

@ -0,0 +1,218 @@
## ⚠️ Please [READ THIS](#bad-relays-phishing-scam) to understand why DNS over Tor might be a bad idea after all!
***
If you want to protect your - unencrypted by default - DNS requests from easily being collected by your ISP or another Adversary between you and your DNS server, you can easily setup pihole to use [Tor](https://www.torproject.org) for hostname resolving. Using DNS over Tor anonymizes your IP by using [Onion-Routing](https://en.wikipedia.org/wiki/Onion_routing).
### ⚠️ Attention
Please be aware that **your ISP or an Adversary still can collect what Websites you visit by capturing HTTP (plaintext) or HTTPS ([SNI](https://en.wikipedia.org/wiki/Server_Name_Indication)) packets or by trying to [reverse lookup](https://en.wikipedia.org/wiki/Reverse_DNS_lookup) or [whois](https://en.wikipedia.org/wiki/WHOIS) the IPs you're connecting to**. To avoid that you might want to consider to additionally [route your Browser traffic over Tor](#route-browser-traffic-over-tor).
Also keep in mind that even Tor can't provide 100% anonymity, for example [correlation](https://www.extremetech.com/extreme/211169-mit-researchers-figure-out-how-to-break-tor-anonymity-without-cracking-encryption) [attacks](https://nakedsecurity.sophos.com/2016/10/05/unmasking-tor-users-with-dns/) are possible. Although it's almost impossible to execute such an attack for e.g. your ISP or a random service on the internet - you might need to [change some of your habits](https://www.torproject.org/download/download.html.en#warning) to get the most out of Tor.
# Setup
Should work on most recent Debian derivatives (raspbian, Ubuntu). Alternatively you can follow a Tor Installation Guide for your Host System.
```
sudo apt install tor
```
Edit `/etc/tor/torrc` as root, include the following line at the end and save the changes
```
DNSPort 127.0.10.1:53
```
Restart Tor
```
sudo service tor restart
```
Change your pihole upstream DNS server to use `127.0.10.1` in the pihole WebGUI (Settings) under "Upstream DNS Servers" and click "Save".
**Note:** It's currently not possible to change the Upstream DNS Server directly in the `/etc/pihole/setupVars.conf` file, the pihole DNS Server won't pick up the change.
If you want a recognizable hostname for the Tor DNS in your pihole GUI statistics, edit `/etc/hosts` as root, include the following line at the end and save the changes
```
127.0.10.1 tor.dns.local
```
Restart pihole DNS Server for the `/etc/hosts` changes to take effect
```
sudo pihole restartdns
```
That's it.
## Make sure it works
To see which DNS servers you're using, you can use a DNS Server Leak Test. Some of them don't work with DNS over Tor, [this one](https://dns-leak.com/) does work tho. It should show random DNS Servers. Tor rotates the circuit approximately every 10minutes in default configuration - so it might take 10minutes for you to see a new set of random DNS servers in the Leak Test.
You can also check the "Forward Destinations over Time" Graph (enabled per default) in your pihole WebGUI - the latest Forward Destinations should only include "local" and "tor.dns.local" (if you updated the `/etc/hosts` file).
To absolutely make sure that you always use the pihole as DNS Server and to make sure that it handles IPv4 and/or IPv6 blocking if you configured it to do so, you should check which DNS Servers your client is using: `nmcli device show <interface> | grep .DNS` (Linux) or `ipconfig /all` (Windows, and look for **DNS Servers** on your **LAN Adapter**). You should then issue a IPv4 (A) and/or IPv6 (AAAA) DNS query to every IPv4 and/or IPv6 DNS Server that shows up:
`dig @<IPv4/6-dns-server-address> api.mixpanel.com <A/AAAA>` (Linux) or `nslookup -server=<IPv4/6-dns-server-address> -q=<A/AAAA> api.mixpanel.com` (Windows) - that should give you the pihole IPv4 and/or IPv6 address as Answer and show up as "Pi-holed" in the WebGUI Query Log (assuming you have the default blocklist, otherwise replace `api.mixpanel.com` by any domain on your blocklist). If any of the queries doesn't show up in the Query Log you should make sure to configure your pihole/network setup properly ([this thread might help](https://www.reddit.com/r/pihole/comments/7e0jg9/dns_over_tor/dq4kkvg/)).
***
# Route Browser Traffic over Tor
To enhance your privacy you might want to route all or part of your Browser Traffic over Tor.
## Tor Browser
The easiest and most reliable solution would be to use the [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en). Though that won't use your pihole DNS Server out of the box. You can however disable `Proxy DNS when using SOCKS v5` in Tor Browsers Preferences -> Advanced -> Network -> Settings and [make sure](#make-sure-it-works) to point your system to use pihole with DNS over Tor activated.
## Your Browser
Edit `/etc/tor/torrc` on your pihole as root, include the following line at the end and save the changes
```
SocksPort 0.0.0.0:9050
```
**Note:** You should make sure that only your LAN devices are able to access your pihole on port 9050.
Restart Tor
```
sudo service tor restart
```
Point your browser to use your pihole IP or Hostname (e.g. `pi.hole`) and `Port 9050` as Socks5 Proxy. Do not enable `Proxy DNS when using SOCKS v5` and [make sure](#make-sure-it-works) to point your system to use pihole with DNS over Tor activated
* For Chrome you can either use e.g. the [Proxy SwitchyOmega Extension](https://chrome.google.com/webstore/detail/proxy-switchyomega/padekgcemlokbadohgkifijomclgjgif) or start Chrome with [command-line parameters](https://www.chromium.org/developers/design-documents/network-stack/socks-proxy).
* For Firefox you can either use e.g. the [FoxyProxy Add-on](https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/) or configure the Socks5 Proxy directly in the Firefox Preferences.
If you use a Proxy Add-on/Extension you can also e.g. route everything per default over Tor and only whitelist some sites that you need to perform really good.
## Access .onion addresses
If you want to access .onion addresses with this kind of setup you have to activate [Transparent Access to Tor Hidden Services](https://www.grepular.com/Transparent_Access_to_Tor_Hidden_Services) on the pihole host.
***
# Notes
## General
* Don't define other regular Upstream DNS Servers than the Tor one if you want to avoid that your pihole makes plaintext DNS requests.
* From the [Tor Manual](https://www.torproject.org/docs/tor-manual.html.en) regarding `DNSPort`:
```
This port only handles A, AAAA, and PTR requests
```
## Bad Relays, Phishing, Scam
* Tor has the concept of [Bad Relays](https://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays) and tries to avoid that Tor Relays become Bad Exit Nodes (which are a form of Relay) by monitoring their behavior before declaring them as Exit Node. But it still can happen and since anyone can run a Tor Relay as Exit Node on the Tor Network, this means that an Exit Node owner could fake the answer to a DNS request and redirect you to a malicious website/IP. If you're in a recent Browser and only visit encrypted (HTTPS) sites, that isn't too bad, since the Browser would warn you with an invalid certificate warning (unless someone would hack a [Certificate authority](https://en.wikipedia.org/wiki/Certificate_authority) or get a CA to issue a certificate without validation - which is both [highly unlikely](https://www.reddit.com/r/TOR/comments/5b416x/malicious_tor_exit_node_can_provide_fakephishing/d9lskni/)). But other apps on your network that resolve DNS queries via DNS over Tor might either communicate unencrypted or don't validate certificates properly. Such apps could get malicious data injected and/or phish your data without your knowledge.
**So, ideally, only use DNS over Tor if you know for a fact that the apps in your network communicate over a secure connection and properly validate certificates.**
That being said, if you use DNS over Tor in the default configuration (meaning no custom `ExitNodes` in the torrc), this kind of attack requires a big portion of luck for the attacker (owner of a Bad Exit Node), because you would have to get a circuit routing over the Bad Exit Node in the same moment when using an insecure app (Tor switches the circuit at least every 10minutes in the default configuration). On top of that an attacker must first find an app that has this kind of vulnerability and has valuable data or attack vectors. This is unlikely since most apps out there that handle sensitive data at least communicate over encrypted connections that validate certificates based on system or manual root certs.
To lower the chances of Bad Exit Nodes you could restrict `ExitNodes` to trusted ones ([country](#solution-1---only-use-exit-nodes-from-specific-countries) and/or [specific](#solution-2---only-use-specific-exit-nodes)). Choosing specific Exit Nodes would basically be the same as e.g. trusting specific [DNSCrypt resolvers](#alternatives) or [Alternative DNS Servers](https://wikileaks.org/wiki/Alternative_DNS). They might be good, they might be bad, you can't know for sure (unless the DNS answers are [DNSSEC](#dnssec) signed - but that's most likely not the case for the kinds of app that might get affected by this).
So in the end it boils down to:
* Encrypt your DNS traffic using Tor so your ISP can't collect it (but still is able to [collect what Websites/IPs you visit](#%EF%B8%8F-attention-%EF%B8%8F) unless you route that traffic also over Tor) and the DNS Server won't see your real IP for the price of maybe getting a Bad Exit Node that fakes answers to DNS queries.
or
* Use [DNSCrypt](#alternatives) so your ISP can't collect DNS traffic (but still can collect the websites/IPs you visit unless you route that traffic over Tor), but you have to accept that the DNSCrypt resolver you've chosen might store your DNS queries together with your IP (unless you [modify DNSCrypt to route over Tor](https://github.com/jedisct1/dnscrypt-proxy/issues/399#issuecomment-214329222)) and could also turn out to send faked answers to DNS queries. I guess you would call that a Bad DNSCrypt resolver then.
or
* Use an unencrypted alternative DNS server (there are a lot of lists out there). In this case your ISP easily can record your DNS traffic *and* the alternative DNS server can store your DNS queries together with your IP. On top of that your ISP or the alternative DNS could also fake the answer to the DNS queries. That would be a Bad Alternative DNS Server then.
or
* Use your ISP DNS server. In this case your ISP gets your DNS traffic for free. On top of that the ISP could also fake answers to DNS queries. Bad ISP DNS Server.
The bottom line is that you have to weigh up who you trust the most and which risks you are willing to take.
## Performance, Reliability and Timeouts
* You're constantly using new DNS Servers that are located all over the world, so it might happen that sometimes hostname resolving is slow or might not work at all for certain domains. In this cases you have to wait some minutes until you switch to another Tor circuit or configure Tor to accept control connections and send a command that tells Tor to [switch circuits immediately](https://superuser.com/a/139018). Since I've been using DNS over Tor this was rarely necessary for me but YMMV.
You could set `ExitNodes` in your torrc to a specific set of Exit nodes that are reliable for you or use only Exit nodes in a [specific country](http://www.b3rn3d.com/blog/2014/03/05/tor-country-codes/) (on Debian derivatives you need to have the `tor-geoipdb` package installed for that to work) and thus avoid problems with DNS lookups to some extend. But keep in mind that this approach increases the correlation attack vulnerability if you only have a small amount of `ExitNodes` set or your selected country/s has/have few Exit nodes. If your goal is only to slightly increase security and maintain performance and reliability, this approach might be for you. It is not recommended.
### Ok, but please just tell me how to avoid timeouts
* So you've read about [Performance, Reliability and Timeouts](#performance-reliability-and-timeouts) and just want a quick solution. Not recommended, but here you go:
#### Solution 1 - Only use Exit Nodes from specific countries
* Install the necessary geoip db for Tor to use, on Debian derivatives (raspbian, Ubuntu) that means
```
sudo apt install tor-geoipdb
```
Pick the Country Codes you want to use as ExitNodes from the "List of country codes for Tor" list on [this page](http://www.b3rn3d.com/blog/2014/03/05/tor-country-codes/).
Edit `/etc/tor/torrc` as root and, add the following lines to the end and replace `CountryCodeN` (keep the `{` and `}`) with the country code you've chosen (you can also use only one country code, in this case it would be just on `{CountryCode1}` without a comma).
```
ExitNodes {CountryCode1},{CountryCode2},{CountryCode3}
StrictNodes 1
```
Save the changes.
Restart Tor
```
sudo service tor restart
```
**Note:** Using this approach you put strain on Tor Relays in the selected countries only and increase your security vulnerability. It's not nice and not recommended. Also be aware that this change also affects which Exit Nodes are used if you [Route Your Browser Traffic](#your-browser) over the pihole host Tor SocksPort.
#### Solution 2 - Only use specific Exit Nodes
* Navigate to [atlas.torproject.org Top Relays](https://atlas.torproject.org/#toprelays). Click on two Relays out of the list. Make sure the relay allows Port `53` in his `IPv4 Exit Policy Summary` (and/or `IPv6 Exit Policy Summary` if you want to resolve IPv6 AAAA queries). As root copy the `Fingerprint` (Top Right under Relay Details) of those two Relays to the end of your `/etc/tor/torrc` file on the pihole host in the following format:
```
ExitNodes Fingerprint1,Fingerprint2
StrictNodes 1
```
Save the changes.
Restart Tor
```
sudo service tor restart
```
If DNS requests stop resolving at all, you might need to repeat this procedure because the Relays you chosen might've went down.
**Note:** Using this approach you put strain on single Tor Relays and increase your security vulnerability. It's not nice and not recommended. Also be aware that this change also affects which Exit Nodes are used if you [Route Your Browser Traffic](#your-browser) over the pihole host Tor SocksPort.
**Hint:** You can combine both Solutions and have country codes and fingerprints as `ExitNodes`.
## IPv6
* DNS over Tor only partially supports IPv6 as of now. This is only a problem if your Router or your ISP don't support IPv4 or you want only IPv6 traffic for another reason - if you have both IPv4 and IPv6 available and you don't plan to visit a IPv6 only service, this is no problem at all.
In general, [if you made sure that you configured your pihole to support IPv6](https://www.reddit.com/r/pihole/comments/7e0jg9/dns_over_tor/dq4wbry/), resolving IPv6 addresses will sometimes work and sometimes not. The reason for this is that Tor Exit nodes only resolve IPv6 queries if they have `IPv6Exit 1` set in their configuration. Tor is [working on a fix](https://trac.torproject.org/projects/tor/ticket/21311) for that - but until that is done and the Tor exit nodes switched to the fixed version, you will run into situations where IPv6 addresses aren't resolvable despite being available in the responsible nameserver. To check whether your current Exit node resolves IPv6 correctly you can run `dig example.com aaaa` (Linux) or `nslookup -q=aaaa example.com` (Windows) on your client.
So if you're dependent on IPv6 and can't use IPv4 at all, your only chance is to configure `ExitNodes` in your torrc to only point to Exit nodes that resolve IPv6 correctly. But keep in mind that this approach increases the correlation attack vulnerability if you only have a small amount of `ExitNodes` set.
Also you can't (afaik) change the internal IPv4 Tor DNS address on the pihole host to an IPv6 one since `DNSPort` doesn't support that - so you need at least internal IPv4 on your pihole host, which is the default on most host systems.
## Exit node fingerprints
* To get the fingerprint of your current Exit node, you can configure `SocksPort 0.0.0.0:9050` in your torrc, restart tor, point your Browser to use your piholes IP and port 9050 as Socks5 proxy, visit e.g. [check.torproject.org](https://check.torproject.org/) to get your Exit Node IP, search for that IP on [atlas.torproject.org](https://atlas.torproject.org), click on one of the results and it will show the Fingerprint top right under details. These fingerprints can be set as comma separated value for `ExitNodes`. Don't forget to remove the `SocksPort` option and restart tor if you don't need it anymore. Also it should be noted that the Exit node you get over `SocksPort` is not necessarily the same as the one you get when issuing DNS requests over the `DNSPort`, since Tor internally keeps multiple circuits open. Again, setting `ExitNodes` manually is not recommended.
## DNSSEC
* A lot of the Exit Nodes configure their DNS Server to support DNSSEC. You can [test here](https://dnssec.vs.uni-due.de/) whether DNSSEC is enabled for your current DNS Servers.
If you want to test again by refreshing the site, please be aware of the notes on the site:
```
To re-run the above test, you also need to:
Flush the DNS cache of your OS (Windows: ipconfig /flushdns)
Restart browser or clear browser cache
```
Flushing Browser/DNS Cache here means restarting pihole (DNS Server), restarting the browser and ideally opening the site in private/incognito mode.
## Alternatives
* An alternative would be using [DNSCrypt](https://github.com/pi-hole/pi-hole/wiki/DNSCrypt), but this leaves you in a position where you have to trust the [DNSCrypt resolver](https://dnscrypt.org/dnscrypt-resolvers.html) since your IP is not anonymized - [unless you configure DNSCrypt to route over Tor](https://github.com/jedisct1/dnscrypt-proxy/issues/399#issuecomment-214329222).
## Contribute to the Tor project
* If you got spare resources consider [running a Tor Relay](https://www.torproject.org/docs/tor-doc-relay.html.en) (or [Exit](https://blog.torproject.org/tips-running-exit-node)) Node to contribute back to the Tor Network. The default installation doesn't do either of these. And/Or consider [donating](https://donate.torproject.org).
\ No newline at end of file