resolving DNS via Tor

Question

When I am using Tor, and not using the Tor bundle there is a possibility of DNS leaks in certain situations.

What can be done to minimize it? Is it possible to resolve DNS via Tor?

Answer 1

To minimize DNS leaks, it is indeed possible to resolve DNS via Tor.

For that, add to your /etc/tor/torrc the line:

DNSPort 9053

And restart the tor service with:

service tor restart

To test it out, do:

$nslookup
set port=9053
server 127.0.0.1
www.cnn.com

If using resolvconf/dnsmasq, change your /etc/dnsmasq.conf:

 no-resolv
 server=127.0.0.1#9053
 listen-address=127.0.0.1

If simply using /etc/resolv.conf that is not changed by a DHCP configuration, change /etc/resolv.conf to:

nameserver 127.0.0.1#9053

or in BIND place in /etc/bind/named.conf.options:

options {
    forwarders {
        127.0.0.1 port 9053;
    }
}

Using a reputable dnscrypt service is in principle more secure than leaving your DNS resolution up to some element in the chain of the Tor network; see Configure BIND as Forwarder only (no root hints), encrypted + RPZ blacklist / whitelist all together.

Also take note that resolving DNS via a Tor gateway is notably slower, and it is strongly advised to have a local cache such as dnsmasq or BIND.

I will leave here the source of the article from which I have taken the dnsmasq configuration. Resolve DNS through Tor

Interestingly enough, as a complementary/alternative approach, the strategy used by redsocks for handling UDP DNS requests is giving an invalid answer to any UDP DNS request via dnstc to force the operation of DNS via TCP, and thus facilitate the proxying of DNS via Tor.

See also Visiting darknet/ Tor sites with Firefox

Answer 2

This issue will stay as it is if you are using secure browser like Tor, it will always leak the DNS. USE Open VPN behind the Tor...