MX / SRV / DNSSEC / any DNS requests over Tor / DNSCrypt

HulaHoop via Whonix Forum:>

I mean connecting to a DNS server over Tor rather than asking the exit to broker the request on its behalf.

Use DNSCrypt.

probability of running into an exit with TCP 53 permitted is low.

Why is that?

probability of running into an exit with TCP 53 permitted is low.

Doesn’t Tor pick an exit relay depending on the one which supports the port the Tor client wants to use?

Then we would need to redirect the DNS queries to their server with socat or systemd but in a way compatible with how Whonix works.

Sounds like:

Use DNSCrypt.

The best option we have is to use their Tor DNS code with the servers their package supports and somehow wrap it around just dino-im.

When taking their code the outcome could be:

  • application specific code for dino-im (or similar)
  • a standalone command line tool similar to tor-resolve. I.e. too-to-resolve-dns-from-command-line domain-name outputs IP address. - Not too helpful since iptables cannot redirect to a command line tool. For that, we’d need a tool that provides a listener.

What’s not easy:

[1] Redirecting DNS (or any) traffic to such code. For that, a listener port which accepts traffic similar to Tor’s DnsPort would be required. Non-trivial.

But, if we want [1], that sounds like:

Use DNSCrypt.

While lnd’s approach is interesting, I don’t see any reason to cling on their code when there is DNSCrypt which is packaged in Debian already for years, which can do [1].

DNSCrypt is Open Source, supports TCP, can use outgoing port 443, therefore works over Tor, supports DNSSEC, encrypts communications between client and DNS server, therefore Tor exit relays cannot forge the DNS requests, is packaged in Debian already for years, was tested and documented in Whonix years ago, although documentation needs a revision.

DNSCrypt documentation: Already added some guesses. Was written when installed form source (complicated). Nowadays sudo apt install dnscrypt-proxy could suffice.

I could be wrong about some things about DNSCrypt and I happy to be corrected but for now it looks like it is doing all that is required.

Therefore, I’d suggest:

Step 1) get DNSCrypt working in a separate Whonix-Workstation as global (fallback, system default networking) DNS.

Step 2) try specific use case (dino-im)

Step 3) use linux user account or linux network namespaces (preferably) (similar to orjail. ( GitHub - orjail/orjail: a more secure way to force programs to exclusively use tor network / Managing programs without Tor DNS Support / orjail )) so it only applies to dino-im and not globally.

1 Like