How to configure Tor on OpenWrt to only handle DNS lookups (and nothing else)?

evenodd · January 27, 2025, 10:26am

Hi!

How to configure Tor on OpenWrt to only handle DNS lookups (and nothing else) via the Tor network, often referred to as a Tor DNS transparent proxy? I found some outdated guides on the internet or these simple guides just doesn't worked for me. I'm using OpenWrt 24.10.0-rc6 on Bananapi BPI-R3.

Thanks

brada4 · January 27, 2025, 1:37pm

Can you provide a reference on what is that, afaik tor dns and tor transparent proxy are 2 different things.

frollic · January 27, 2025, 1:40pm

why not simply use https-dns-proxy to encrypt your DNS traffic ?

evenodd · January 27, 2025, 1:41pm

Sure, this means that your router will route DNS queries through Tor, but other traffic (TCP/UDP web traffic, gaming, etc.) will not be forced through Tor.

marcind · January 27, 2025, 1:45pm

You can set DNSPort 1234 in torrc and then configure your dnsmasq to forward to 127.0.0.1:1234

I'm afraid though this may create security problems if you happen to hit an untrusted exit node.

evenodd · January 27, 2025, 1:50pm

Because my ISP use some kind of transparent proxy I couldn't bypass by any of these: DoH, DoT, DNSCrypt, 0DoH. On my phone (same ISP) I can use Orbot + Rethink to redirect all DNS lookups trough tor. Any other ways show me the same IPs on dnsleaktest.com (hosted-by.i3d.net. - all I know this is a service closely connected to Ubisoft).

evenodd · January 27, 2025, 2:21pm

I was successfully set DNSPort 1234 in torrc. When I run netstat -nlp | grep 9053, I saw it was running. Also, I was added this to /etc/config/dhcp:

config dnsmasq
    option noresolv '1'
    list server '127.0.0.1#1234'

Restarted tor and dnsmasq service, but it's not enough, I think. Also, I get this message when I restart dnsmasq:

> udhcpc: started, v1.36.1
> udhcpc: broadcasting discover
> udhcpc: no lease, failing

After some minutes, I end up with no internet connection. Any ideas or any ideas to bypass i3D.net?

frollic · January 27, 2025, 2:25pm

udhcpc <> dnsmasq

evenodd · January 27, 2025, 2:39pm

I ignored this because it fails even without me making any settings. But these lines appear when I run service dnsmasq restart.

pavelgl · January 27, 2025, 5:17pm

DNS over Tor only works for me if all traffic is routed through the Tor client.

A quick test shows that Tor responds to DNS requests with addresses in the VirtualAddrNetwork range, so it seems you can't use it the way you want.

[root@centos9 ~]# nslookup -port=9053 google.com 192.168.92.14
Server:         192.168.92.14
Address:        192.168.92.14#9053

Non-authoritative answer:
Name:   google.com
Address: 172.31.35.33
Name:   google.com
Address: fc84:6772:ef3a:2aa7:c599:1bb4:67f7:c40f

[root@centos9 ~]# nslookup -port=9053 yahoo.com 192.168.92.14
Server:         192.168.92.14
Address:        192.168.92.14#9053

Non-authoritative answer:
Name:   yahoo.com
Address: 172.17.193.180
Name:   yahoo.com
Address: fc9c:c5e1:74ce:7433:72c5:8269:d43b:bb2d

evenodd · January 27, 2025, 7:27pm

...But now it's work, thank you for your answer.
..I wrote some content into /etc/tor/custom (but only two lines are enough):

# These lines are not needed
# AutomapHostsOnResolve 1
# AutomapHostsSuffixes .
# VirtualAddrNetworkIPv4 172.16.0.0/12
# VirtualAddrNetworkIPv6 [fc00::]/8

# DNSPort only (no TransPort)
DNSPort 0.0.0.0:9053
DNSPort [::]:9053
# (Optional) Logging:
Log notice file /var/log/tor/notices.log

...added this line to /etc/sysupgrade.conf :
/etc/tor

...then, run these commands:

uci del_list tor.conf.tail_include="/etc/tor/custom"
uci add_list tor.conf.tail_include="/etc/tor/custom"
uci commit tor
service tor restart
# Stop dnsmasq while we set options
service dnsmasq stop
# Instruct dnsmasq not to use system resolv.conf
uci set dhcp.@dnsmasq[0].noresolv="1"
# Disabling rebind_protection can help with .onion or unusual hostnames
uci set dhcp.@dnsmasq[0].rebind_protection="0"
# Clear any existing server lines
uci -q delete dhcp.@dnsmasq[0].server
# Add Tor as upstream DNS (port 9053)
uci add_list dhcp.@dnsmasq[0].server="127.0.0.1#9053"
uci add_list dhcp.@dnsmasq[0].server="::1#9053"
uci add_list dhcp.@dnsmasq[0].server="/lan/192.168.1.1"
uci add_list dhcp.@dnsmasq[0].server="/168.192.in-addr.arpa/192.168.1.1"
uci commit dhcp
service dnsmasq start

...and last checked up everything works fine:

root@OpenWrt:~# nslookup -port=9053 google.com 192.168.1.1
Server:		192.168.1.1
Address:	192.168.1.1:9053

Non-authoritative answer:
Name:	google.com
Address: 142.251.39.110

Non-authoritative answer:
Name:	google.com
Address: 2a00:1450:400e:811::200e

root@OpenWrt:~# nslookup -port=9053 yahoo.com 192.168.1.1
Server:		192.168.1.1
Address:	192.168.1.1:9053

Non-authoritative answer:
Name:	yahoo.com
Address: 2001:4998:124:1507::f000

Non-authoritative answer:
Name:	yahoo.com
Address: 74.6.231.21

I 've been tested dnsleaktest.com and finally everything works now.

system · February 6, 2025, 7:28pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.