I’m attempting to configure an anonymized DNS service using dnscrypt-proxy2, routed through the Tor network. I believe I have everything needed for it to work, but that does not seem to be the case. The DNS resolution is fine, but it’s not being proxied through Tor as desired.

 services.resolved.enable = false;
 services.dnscrypt-proxy2 = {
   enable = true;
   settings = {
     ipv6_servers = config.networking.enableIPv6;
     block_ipv6 = !(config.networking.enableIPv6);
     listen_addresses = ["127.0.0.1:53" "[::1]:53"];
     force_tcp = true;

     use_syslog = false;
     odoh_servers = true;
     require_dnssec = true;
     require_nolog = false;
     require_nofilter = true;

     anonymized_dns = {
       routes = [
         {
           server_name = "*";
           via = ["anon-plan9-dns" "anon-v.dnscrypt.up-ipv4"];
         }
       ];
       skip_incompatible = true;
     };

     sources.public-resolvers = {
       urls = [
         "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
         "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
       ];
       cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
       minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
     };

     block_unqualified = true;
     block_undelegated = true;
     proxy = "socks5://127.0.0.1:9050";
   };
 };

 systemd.services.dnscrypt-proxy2.serviceConfig = {
   StateDirectory = "dnscrypt-proxy";
 };
    useDHCP = false;
    enableIPv6 = true;
    nameservers = [
      "127.0.0.1"
      "::1"
    ];
    networkmanager.enable = true;
    networkmanager.dns = "none";
  services.tor = {
    enable = true;
    enableGeoIP = false;
    torsocks.enable = true;
    client = {
      enable = true;
    };
  };
    • @TeaTasticOP
      link
      English
      15 months ago

      It’s not hiding my real ip from websites such as https://whatismyipaddress.com/. If it was torrified, I’d expect something changing on “am i using tor” websites as well.

      • @[email protected]
        link
        fedilink
        English
        2
        edit-2
        5 months ago

        Is this whatismyip address on the dns server that should have all its traffic going through tor or just DNS? what is my ip address works by responding with the ip address that is connecting to it. If you are only trying to have dns go over tor what is my ip would respond with a non tor ip address but if all traffic is going through tor then yes something is not working.

        Edit: Reading more in depth of your post 100% whatismyipaddress will not return your tor ip. You’ve just offloaded name resultion ie. www.google.com is 123.123.123.123 ip address. You are still connecting to websites with your ISP ip.

      • @[email protected]
        link
        fedilink
        English
        15 months ago

        I don’t think that’s a correct assumption. DNS just resolves domain names to IPs. When you access a website, if the IP isn’t in your dns cache, it will look it up and that’s the only part that should be going through dnscrypt. The actual request to the site goes to the IP directly. To use TOR across your entire system, it should either be used as a VPN or as a system-wide proxy. Dunno how to set that up though…

        You should be able to at least activate logs for dnscrypt and see which DNS entries are being requested. To have a deeper look into your traffic, the only thing I know of is wireshark, which can sniff all your packets. You should be able to observe your DNS request going to dnscrypt, possibly through TOR (I doubt the packet tracing will work, sequence numbers or something should be disrupted by going through TOR), then a request going out to the IP it found over HTTP (port 80) or HTTPS (port 443).

        Anti Commercial-AI license

        • @TeaTasticOP
          link
          English
          15 months ago

          Routing DNSCrypt through the Tor network should, in theory, anonymize DNS queries. This configuration would result in the DNS resolver observing the IP address of the Tor exit node rather than my actual IP address, thus hiding my identity from the resolver. I’m not sure why the actual request to the site would go to the IP directly.

          For implementing DNS over HTTPS (DoH) via Tor, I followed the guidelines from this GitHub repository and translated them into my current approach.

          I’ve gone through DNSCrypt’s logs, but nothing really stood out. I’m a bit lost with Wireshark - there’s so much data even if I filter it by DNS or Tor Socks Port (From my relay).

          While you asked about the basis for my conclusions, it’s worth noting that if the Tor proxy were working as intended, I would also anticipate a considerable increase in latency. There’s a huge difference when I enter https://one.one.one.one/help/ normally with "Use system proxy settings" in my browser and when I enter it with a "Manual proxy configuration" with the SOCKS Host set up and "Proxy DNS when using SOCKS v5" checked on.

          • @[email protected]
            link
            fedilink
            English
            -3
            edit-2
            5 months ago
            sequenceDiagram
                Computer->>+Nameserver: Where's wikipedia.org
                Nameserver-->>-Computer: 185.15.59.224
                Computer->>+Wikipedia: GET /
                Wikipedia-->>-Computer: return /
            

            Here is the simplified sequence diagram

            As you can see the request to wikipedia itself does not go through a nameserver, only the DNS request does. It’s the entire reason Firefox has the option to proxy DNS queries over the proxy: to avoid DNS leaks

            Right now, all that should be happening is DNS requests being proxied, not the rest of your traffic.

            There’s a huge difference when I enter https://one.one.one.one/help/ normally with "Use system proxy settings" in my browser and when I enter it with a "Manual proxy configuration" with the SOCKS Host set up and "Proxy DNS when using SOCKS v5" checked on.

            To me that indicates the DNS proxy through TOR isn’t actually working with your dnscrypt setup 🤔 However it’s difficult to debug from here. It’s possible the DNS query is slow, but because the actual HTTP request is going through your standard internet with no proxy it’s fast, and when you do turn on the proxy for HTTP/S requests, you observe actually using TOR for everything and thus the latency.

            Could you run these commands please

            # Find which process is running the local DNS server
            sudo ss -plant | grep ":53 " # alternatively sudo netstat -plant | grep ":53 "
            
            # Check your DNS resolver config
            # You can share it or not, but 127.0.0.1 MUST be in it, otherwise your DNS queries aren't being encrypted/proxied
            cat /etc/resolv.conf
            
            # Measure how long it takes to query a new domain name
            time dig techhub.hpe.com
            time dig bash.org
            time dig element.io
            

            If you feel comfortable with it, you share the logs of dnscrypt (I don’t know what kind of information is in there, so you might have to clean it).

            journalctl -u dnscrypt-proxy2 or just systemctl status dnscrypt-proxy2. Either here or PMed. Here are encrypted pastebin alternatives.

            Anti Commercial-AI license

            • @TeaTasticOP
              link
              English
              25 months ago

              The simplified sequence diagram really helps to picture it. I’ll PM you with the logs.