You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have found that relying on a single tor DNSPort for all DNS queries (1) sometimes fails (presumably when the circuit is renegotiating) and (2) can be a big bottleneck when doing lots of lookups.
I got much better performance/reliability by using dnsmasq to answer queries and proxying the requests out to several tor DNSPorts bound to localhost as upstream DNS servers, like so:
Aside from just having more bandwidth/load balancing/failover that you naturally get from having more than 1 place to send data, I suspect that dnsmasq responds more efficiently than using iptables redirection.
I guess the thing I'm not sure about is if doing this meaningfully increases attack surface or not? I get that it is exposing code to the network that doesn't have to be exposed, which is definitionally increasing attack surface and which generally doesn't ever make things more secure.
However, dnsmasq provides a lot more fine grained control over how/if DNS requests are answered, which would potentially be a more helpful mitigation if the console is compromised than having iptables pass everything on port 53 to tor's DNSPort, which may or may not handle unexpected input as elegantly as dnsmasq does. Also, this removes iptables from anything DNS related, so there's that too.
Automapping to .onions also works fine using this method.
Thoughts?
The text was updated successfully, but these errors were encountered:
I have found that relying on a single tor DNSPort for all DNS queries (1) sometimes fails (presumably when the circuit is renegotiating) and (2) can be a big bottleneck when doing lots of lookups.
I got much better performance/reliability by using dnsmasq to answer queries and proxying the requests out to several tor DNSPorts bound to localhost as upstream DNS servers, like so:
/etc/tor/torrc
/etc/dnsmasq.conf
Aside from just having more bandwidth/load balancing/failover that you naturally get from having more than 1 place to send data, I suspect that dnsmasq responds more efficiently than using iptables redirection.
I guess the thing I'm not sure about is if doing this meaningfully increases attack surface or not? I get that it is exposing code to the network that doesn't have to be exposed, which is definitionally increasing attack surface and which generally doesn't ever make things more secure.
However, dnsmasq provides a lot more fine grained control over how/if DNS requests are answered, which would potentially be a more helpful mitigation if the console is compromised than having iptables pass everything on port 53 to tor's DNSPort, which may or may not handle unexpected input as elegantly as dnsmasq does. Also, this removes iptables from anything DNS related, so there's that too.
Automapping to .onions also works fine using this method.
Thoughts?
The text was updated successfully, but these errors were encountered: