[tor-talk] New to List

Jim Jimmymac at copper.net
Sun Dec 11 23:55:58 UTC 2011


Erich Kroener wrote:
> I am new to the mailing list but using Tor for awhile now. First, cheers
> to the developers - this service is great!
> 
> After reading in a great many FAQs, wikimedia pages, and so on - I am
> still bit worried about local DNS being revealed.
> 
> Here is my set-up and what I have done: Running v.0.2.2.34, Linux/Ubuntu
> environ, Firefox of course with network.proxy.sock 'true' - all traffic
> goes through SOCKS5. Connecting to network no problem.

[snip]

> Any helpful next steps? How can I be sure?

You can use iptables to monitor for port 53 usage by adding a couple of
rules to the beginning of the OUTPUT chain:

        sudo iptables -I OUTPUT -p udp --dport 53
        sudo iptables -I OUTPUT -p tcp --dport 53

These rules will count the number of UDP and TCP packets sent to port
53.  They won't filter or log anything to the system log.

After doing some browsing via Tor, you can check if any packets have
matched either rule with:

        sudo iptables -nvL OUTPUT | head

The verbose (-v) option will cause packet counts to be included in the
output.  If those are zero, you are good to go.  There is the
*possibility* of a false positive if one of the tor nodes you access
uses TCP/53. :-(

Alternatively, you can use tcpdump or wireshark to directly monitor for
port 53 packets.  For example:

       sudo tcpdump -nni any port 53

Be aware that if you don't use the -n option, any of the commands
above may *themselves* do DNS lookup! :-O

Chris's suggestion of blocking direct Internet access is also good if
the restriction doesn't cause a problem for you.  The following will
block all traffic for "username" on all interfaces except loopback.
(Obviously, the Tor software must be running as a different user.)

        sudo iptables -I OUTPUT -o ! lo --m owner \
           --uid-owner username -j REJECT

If you need that user to be able to access a LAN or something then the
filtering becomes slightly more complicated, but still easy.  I run a
local DNS caching service, so I also block that user on port 53 on *all*
interfaces, *including* loopback:

        sudo iptables -I OUTPUT -p udp --dport 53 -m owner \
           --uid-owner username -j REJECT
        sudo iptables -I OUTPUT -p tcp --dport 53 -m owner \
           --uid-owner username -j REJECT

I prefer REJECT to DROP for these purposes so that I get immediate
feedback that something is being blocked, but you can use DROP if you
prefer silence.

HTH

Jim






More information about the tor-talk mailing list