summaryrefslogtreecommitdiffstats
path: root/wiki/src/contribute/design/Tor_enforcement/DNS.mdwn
blob: 079910d2967a61f3437436cedfbfb6b2db3f6052 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Tor does not support UDP so we cannot simply redirect DNS queries to
the Tor transparent proxy.

Most DNS leaks are avoided by having the system resolver query
the Tor network using the `DNSPort` configured in
`torrc`.

There is a concern that any application could attempt to do its own
DNS resolution without using the system resolver; UDP datagrams are
therefore blocked in order to prevent leaks. Another solution may be
to use the Linux network filter to forward outgoing UDP datagrams to
the local DNS proxy.

Tails also forbids DNS queries to RFC1918 addresses; those might
indeed allow the system to learn the local network's public IP
address.

An exception to the above DNS configuration is the `clearnet` user
used to run the [[contribute/design/Unsafe_Browser]], which uses the
DNS server provided for DHCP for resolving.

`resolv.conf` is configured to point to the Tor DNS resolver, and <span
class="application">NetworkManager<span> and `dhclient` are configured
not to manage `resolv.conf` at all:

* [[!tails_gitweb config/chroot_local-includes/etc/resolv.conf]]
* [[!tails_gitweb config/chroot_local-includes/etc/NetworkManager/conf.d/dns.conf]]
* [[!tails_gitweb config/chroot_local-includes/etc/dhcp/dhclient-enter-hooks.d/disable_make_resolv_conf]]
* [[!tails_gitweb config/chroot_local-includes/etc/tor/torrc]]