... | @@ -2,33 +2,33 @@ |
... | @@ -2,33 +2,33 @@ |
|
|
|
|
|
----
|
|
----
|
|
|
|
|
|
[[TOC]]
|
|
|
|
* Copyright (c) 2005 tyranix
|
|
* Copyright (c) 2005 tyranix
|
|
* Distributed under the X11 license
|
|
* Distributed under the X11 license
|
|
* See [wiki:doc/LegalStuff LegalStuff] for a full text
|
|
* See [LegalStuff](./doc/LegalStuff) for a full text
|
|
|
|
|
|
== Overview ==
|
|
## Overview
|
|
|
|
|
|
== Why is this necessary? ==
|
|
## Why is this necessary?
|
|
|
|
|
|
When you use Tor, it's setup as a SOCKS4 or 5 proxy but not SOCKS4a. This means DNS requests are resolved using the normal method of /etc/resolv.conf. This exposes you because your ISP (or whoever is in /etc/resolv.conf) can view your plaintext DNS queries.
|
|
When you use Tor, it's setup as a SOCKS4 or 5 proxy but not SOCKS4a. This means DNS requests are resolved using the normal method of /etc/resolv.conf. This exposes you because your ISP (or whoever is in /etc/resolv.conf) can view your plaintext DNS queries.
|
|
|
|
|
|
== Example scenario ==
|
|
## Example scenario
|
|
|
|
|
|
In the case of using Firefox through Tor, it means all of the actual transfers (pages, images, video, etc) are anonymized through Tor but your ISP can see every site you visit by looking at what DNS names you request.
|
|
In the case of using Firefox through Tor, it means all of the actual transfers (pages, images, video, etc) are anonymized through Tor but your ISP can see every site you visit by looking at what DNS names you request.
|
|
|
|
|
|
While they can only assume you are visiting these sites because the actual traffic is encrypted, it's best to not let anyone see what you are doing for privacy concerns.
|
|
While they can only assume you are visiting these sites because the actual traffic is encrypted, it's best to not let anyone see what you are doing for privacy concerns.
|
|
|
|
|
|
For instance, if you request some site '''google.com''' without dsocks but with Tor, you will get the HTML back encrypted but to lookup the IP of google.com, programs use /etc/resolv.conf to ask someone what the IP is.
|
|
For instance, if you request some site **google.com** without dsocks but with Tor, you will get the HTML back encrypted but to lookup the IP of google.com, programs use /etc/resolv.conf to ask someone what the IP is.
|
|
Using logs of google.com and your ISP's DNS server and traffic logs, it may be possible for them to determine whether you accessed that site or just looked the name up (not 100% but possibly a correlation).
|
|
Using logs of google.com and your ISP's DNS server and traffic logs, it may be possible for them to determine whether you accessed that site or just looked the name up (not 100% but possibly a correlation).
|
|
|
|
|
|
This tutorial is designed to prevent such information leaks.
|
|
This tutorial is designed to prevent such information leaks.
|
|
|
|
|
|
== Purpose of tutorial ==
|
|
## Purpose of tutorial
|
|
|
|
|
|
This tutorial will setup dsocks to answer DNS queries. This means you will no longer have DNS leaks from Tor. Dsocks is also setup with systrace so dsocks itself runs as ''nobody''.
|
|
This tutorial will setup dsocks to answer DNS queries. This means you will no longer have DNS leaks from Tor. Dsocks is also setup with systrace so dsocks itself runs as _nobody_.
|
|
|
|
|
|
Systrace allows it to bind to port 53 by allowing that call as ''root''.
|
|
Systrace allows it to bind to port 53 by allowing that call as _root_.
|
|
Or you can setup your firewall to redirect requests to port 53 to a different port above 1023 so you don't have to run any of it as root.
|
|
Or you can setup your firewall to redirect requests to port 53 to a different port above 1023 so you don't have to run any of it as root.
|
|
|
|
|
|
This way, you do not have to trust dsocks any more than necessary.
|
|
This way, you do not have to trust dsocks any more than necessary.
|
... | @@ -40,13 +40,13 @@ Note: This works through ssh port forwards. In my case, I run a browser in GNU/L |
... | @@ -40,13 +40,13 @@ Note: This works through ssh port forwards. In my case, I run a browser in GNU/L |
|
|
|
|
|
If you want the same setup, there's another tutorial I wrote on this site for that.
|
|
If you want the same setup, there's another tutorial I wrote on this site for that.
|
|
|
|
|
|
== Assumptions ==
|
|
## Assumptions
|
|
|
|
|
|
Dsocks assumes that Tor is listening on port 9050 which is the default port for Tor. Unless you have modified Tor's config, this is not a problem.
|
|
Dsocks assumes that Tor is listening on port 9050 which is the default port for Tor. Unless you have modified Tor's config, this is not a problem.
|
|
|
|
|
|
This tutorial is written and tested with OpenBSD. But it should work in GNU/Linux as long as you have a systrace patched kernel.
|
|
This tutorial is written and tested with OpenBSD. But it should work in GNU/Linux as long as you have a systrace patched kernel.
|
|
|
|
|
|
For GNU/Linux, you'll have to change most of the paths because OpenBSD uses '''/usr/local/lib/python2.3''' while Debian for instance uses '''/usr/lib/python2.3'''.
|
|
For GNU/Linux, you'll have to change most of the paths because OpenBSD uses **/usr/local/lib/python2.3** while Debian for instance uses **/usr/lib/python2.3**.
|
|
|
|
|
|
Additionally, the user and group ID for running systrace will probably have to be changed.
|
|
Additionally, the user and group ID for running systrace will probably have to be changed.
|
|
|
|
|
... | @@ -54,80 +54,80 @@ Use root.root instead of root.wheel for chown commands. |
... | @@ -54,80 +54,80 @@ Use root.root instead of root.wheel for chown commands. |
|
|
|
|
|
And the package management commands would be different.
|
|
And the package management commands would be different.
|
|
|
|
|
|
== TODO ==
|
|
## TODO
|
|
|
|
|
|
It would be great if someone could test this on GNU/Linux. Or follow everything from OpenBSD.
|
|
It would be great if someone could test this on GNU/Linux. Or follow everything from OpenBSD.
|
|
|
|
|
|
= Thanks =
|
|
# Thanks
|
|
|
|
|
|
Thanks to an undeadly.org article about the OpenBSD chrooted Tor where someone mentioned dsocks. I'm now using dsocks so I'll pass along the instructions.
|
|
Thanks to an undeadly.org article about the OpenBSD chrooted Tor where someone mentioned dsocks. I'm now using dsocks so I'll pass along the instructions.
|
|
|
|
|
|
= Install python =
|
|
# Install python
|
|
|
|
|
|
Note: For OpenBSD 3.6, there are security updated packages that you should use.
|
|
Note: For OpenBSD 3.6, there are security updated packages that you should use.
|
|
This means you should be running python 2.3.5.
|
|
This means you should be running python 2.3.5.
|
|
|
|
|
|
You probably don't need to get all of these but I use python outside of this program so I like extra modules.
|
|
You probably don't need to get all of these but I use python outside of this program so I like extra modules.
|
|
{{{
|
|
```
|
|
mkdir ~/packages
|
|
mkdir ~/packages
|
|
cd ~/packages
|
|
cd ~/packages
|
|
wget ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/python{,-idle,-mpz,-tests,-tkinter,-tools}-2.3.5.
|
|
wget ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/python{,-idle,-mpz,-tests,-tkinter,-tools}-2.3.5.
|
|
tgz
|
|
tgz
|
|
pkg_add *.tgz
|
|
pkg_add *.tgz
|
|
}}}
|
|
```
|
|
|
|
|
|
and now you can remove the directory.
|
|
and now you can remove the directory.
|
|
|
|
|
|
= Get the source for dsocks and dpkt =
|
|
# Get the source for dsocks and dpkt
|
|
|
|
|
|
Dsocks and dpkt are both written in Python. Dsocks uses dpkt so you'll need to get both.
|
|
Dsocks and dpkt are both written in Python. Dsocks uses dpkt so you'll need to get both.
|
|
|
|
|
|
== Create a directory for storing them ==
|
|
## Create a directory for storing them
|
|
|
|
|
|
{{{
|
|
```
|
|
mkdir ~/dsocks
|
|
mkdir ~/dsocks
|
|
cd ~/dsocks
|
|
cd ~/dsocks
|
|
}}}
|
|
```
|
|
|
|
|
|
== Get dsocks and dpkt ==
|
|
## Get dsocks and dpkt
|
|
{{{
|
|
```
|
|
wget http://www.monkey.org/~dugsong/{dsocks/dsocks-1.2,dpkt/dpkt-1.1}.tar.gz
|
|
wget http://www.monkey.org/~dugsong/{dsocks/dsocks-1.2,dpkt/dpkt-1.1}.tar.gz
|
|
}}}
|
|
```
|
|
|
|
|
|
== Extract them both and move dpkt to dsocks directory ==
|
|
## Extract them both and move dpkt to dsocks directory
|
|
|
|
|
|
You can either install these using the provided setup.py (which will install them in some python location) or you can just use the directory as is.
|
|
You can either install these using the provided setup.py (which will install them in some python location) or you can just use the directory as is.
|
|
|
|
|
|
I prefer to use it as is because I'm going to be moving it to a different location than the normal python libraries.
|
|
I prefer to use it as is because I'm going to be moving it to a different location than the normal python libraries.
|
|
|
|
|
|
{{{
|
|
```
|
|
tar -zxvf dsocks-1.2.tar.gz
|
|
tar -zxvf dsocks-1.2.tar.gz
|
|
tar -zxvf dpkt-1.1.tar.gz
|
|
tar -zxvf dpkt-1.1.tar.gz
|
|
}}}
|
|
```
|
|
|
|
|
|
Now move the dpkt source code into dsocks. If you don't do this, you'll need to move dpkt directory to somewhere the python interpreter will find.
|
|
Now move the dpkt source code into dsocks. If you don't do this, you'll need to move dpkt directory to somewhere the python interpreter will find.
|
|
{{{
|
|
```
|
|
mv dpkt-1.1/dpkt dsocks-1.2/dpkt
|
|
mv dpkt-1.1/dpkt dsocks-1.2/dpkt
|
|
}}}
|
|
```
|
|
|
|
|
|
== Byte compile the source ==
|
|
## Byte compile the source
|
|
|
|
|
|
Then compile them because you want to make this read only. Normally python does this when you execute the files. However, when you call compileall, you only compile it to byte-code instead of executing the code.
|
|
Then compile them because you want to make this read only. Normally python does this when you execute the files. However, when you call compileall, you only compile it to byte-code instead of executing the code.
|
|
|
|
|
|
This will recursively compile all python code it finds in that directory.
|
|
This will recursively compile all python code it finds in that directory.
|
|
{{{
|
|
```
|
|
/usr/local/bin/python /usr/local/lib/python2.3/compileall.py dsocks-1.2
|
|
/usr/local/bin/python /usr/local/lib/python2.3/compileall.py dsocks-1.2
|
|
}}}
|
|
```
|
|
|
|
|
|
|
|
|
|
= Create a new location for the source =
|
|
# Create a new location for the source
|
|
|
|
|
|
As root, create a location for the source.
|
|
As root, create a location for the source.
|
|
|
|
|
|
This should also be made read only because we already byte-compiled the source. This means there are *.pyc files where ever *.py are found in dsocks-1.2.
|
|
This should also be made read only because we already byte-compiled the source. This means there are *.pyc files where ever *.py are found in dsocks-1.2.
|
|
|
|
|
|
This has to be accessible for everyone because we're going to run this program as the '''nobody''' user.
|
|
This has to be accessible for everyone because we're going to run this program as the **nobody** user.
|
|
{{{
|
|
```
|
|
mkdir /opt
|
|
mkdir /opt
|
|
cp -Rp dsocks-1.2 /opt/
|
|
cp -Rp dsocks-1.2 /opt/
|
|
|
|
|
... | @@ -136,18 +136,18 @@ find /opt/dsocks-1.2 -type f -exec chmod 444 '{}' \; |
... | @@ -136,18 +136,18 @@ find /opt/dsocks-1.2 -type f -exec chmod 444 '{}' \; |
|
find /opt/dsocks-1.2 -type d -exec chmod 555 '{}' \;
|
|
find /opt/dsocks-1.2 -type d -exec chmod 555 '{}' \;
|
|
|
|
|
|
chmod 555 /opt
|
|
chmod 555 /opt
|
|
}}}
|
|
```
|
|
|
|
|
|
= Option 1: Use systrace =
|
|
# Option 1: Use systrace
|
|
|
|
|
|
This is my systrace file. Python has a lot of fsread calls so I used a regex to avoid naming all of those.
|
|
This is my systrace file. Python has a lot of fsread calls so I used a regex to avoid naming all of those.
|
|
|
|
|
|
The file is called ''/root/.systrace/usr_local_bin_python2_3'' and should be copied to ''/etc/systrace/'' after you have tested it.
|
|
The file is called _/root/.systrace/usr_local_bin_python2_3_ and should be copied to _/etc/systrace/_ after you have tested it.
|
|
|
|
|
|
Notice that the '''bind''' call has ''as root'' which escalates permissions for that one call. All the others will be run as whatever user you specify in systrace (with the -c option).
|
|
Notice that the **bind** call has _as root_ which escalates permissions for that one call. All the others will be run as whatever user you specify in systrace (with the -c option).
|
|
|
|
|
|
This also means that you must execute systrace as root for this escalation to occur. The program itself will run the '''nobody''' user.
|
|
This also means that you must execute systrace as root for this escalation to occur. The program itself will run the **nobody** user.
|
|
{{{
|
|
```
|
|
Policy: /usr/local/bin/python2.3, Emulation: native
|
|
Policy: /usr/local/bin/python2.3, Emulation: native
|
|
native-issetugid: permit
|
|
native-issetugid: permit
|
|
native-__sysctl: permit
|
|
native-__sysctl: permit
|
... | @@ -226,9 +226,9 @@ Policy: /usr/local/bin/python2.3, Emulation: native |
... | @@ -226,9 +226,9 @@ Policy: /usr/local/bin/python2.3, Emulation: native |
|
native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_DGRAM" then permit
|
|
native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_DGRAM" then permit
|
|
native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_DGRAM" then permit
|
|
native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_DGRAM" then permit
|
|
native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_STREAM" then permit
|
|
native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_STREAM" then permit
|
|
}}}
|
|
```
|
|
|
|
|
|
= Option 2: Use firewall redirection =
|
|
# Option 2: Use firewall redirection
|
|
|
|
|
|
Instead of using systrace to allow tor-dns-proxy.py to bind to port 53, you could setup your firewall to redirect requests to port 127.0.0.1:53 to 127.0.0.1:7777
|
|
Instead of using systrace to allow tor-dns-proxy.py to bind to port 53, you could setup your firewall to redirect requests to port 127.0.0.1:53 to 127.0.0.1:7777
|
|
where 7777 is some arbitrary port greater than 1023 so you don't have to run systrace as root.
|
|
where 7777 is some arbitrary port greater than 1023 so you don't have to run systrace as root.
|
... | @@ -236,58 +236,58 @@ where 7777 is some arbitrary port greater than 1023 so you don't have to run sys |
... | @@ -236,58 +236,58 @@ where 7777 is some arbitrary port greater than 1023 so you don't have to run sys |
|
If you do this, you can run everything as user nobody (or any other user) by removing the "as root" part to the above systrace policy and setting up a redirection.
|
|
If you do this, you can run everything as user nobody (or any other user) by removing the "as root" part to the above systrace policy and setting up a redirection.
|
|
|
|
|
|
Here's how you would do it with OpenBSD's pf. See this part of the FAQ for details: [[http://www.openbsd.org/faq/pf/rdr.html]]
|
|
Here's how you would do it with OpenBSD's pf. See this part of the FAQ for details: [[http://www.openbsd.org/faq/pf/rdr.html]]
|
|
{{{
|
|
```
|
|
# Redirect internal requests to port 53 to port 7777.
|
|
# Redirect internal requests to port 53 to port 7777.
|
|
rdr on lo0 proto udp from 127.0.0.1 to 127.0.0.1 port 53 -> 127.0.0.1 port 7777
|
|
rdr on lo0 proto udp from 127.0.0.1 to 127.0.0.1 port 53 -> 127.0.0.1 port 7777
|
|
}}}
|
|
```
|
|
|
|
|
|
Note that there is a disadvantage to doing this. Because you are redirecting to port 7777, if another user can start up a program binding to port 7777 or crash yours and start theirs, now your requests are going through a malicious DNS server.
|
|
Note that there is a disadvantage to doing this. Because you are redirecting to port 7777, if another user can start up a program binding to port 7777 or crash yours and start theirs, now your requests are going through a malicious DNS server.
|
|
|
|
|
|
Using systrace's escalation, a normal user cannot do this same replacement without finding some systrace or root exploit to circumvent the protection.
|
|
Using systrace's escalation, a normal user cannot do this same replacement without finding some systrace or root exploit to circumvent the protection.
|
|
|
|
|
|
= Change /etc/resolv.conf =
|
|
# Change /etc/resolv.conf
|
|
|
|
|
|
I have two /etc/resolv.conf: one for Tor and one for normal operation.
|
|
I have two /etc/resolv.conf: one for Tor and one for normal operation.
|
|
I switch between them by copying over the existing /etc/resolv.conf with either /etc/resolv.conf.tor or /etc/resolv.conf.normal
|
|
I switch between them by copying over the existing /etc/resolv.conf with either /etc/resolv.conf.tor or /etc/resolv.conf.normal
|
|
|
|
|
|
This is what you want for resolving DNS through Tor.
|
|
This is what you want for resolving DNS through Tor.
|
|
{{{
|
|
```
|
|
lookup file bind
|
|
lookup file bind
|
|
nameserver 127.0.0.1
|
|
nameserver 127.0.0.1
|
|
}}}
|
|
```
|
|
|
|
|
|
= Start up tor-dns-proxy =
|
|
# Start up tor-dns-proxy
|
|
|
|
|
|
This will run as the user '''nobody'''. It only escalates the bind call so we can bind below port 1024 (53 in DNS case).
|
|
This will run as the user **nobody**. It only escalates the bind call so we can bind below port 1024 (53 in DNS case).
|
|
|
|
|
|
{{{
|
|
```
|
|
/bin/systrace -a -e -c 32767:32767 /usr/local/bin/python2.3 /opt/dsocks-1.2/tor-dns-proxy.py
|
|
/bin/systrace -a -e -c 32767:32767 /usr/local/bin/python2.3 /opt/dsocks-1.2/tor-dns-proxy.py
|
|
}}}
|
|
```
|
|
|
|
|
|
Note: This does not background so you'll have to kill it with control-c to exit.
|
|
Note: This does not background so you'll have to kill it with control-c to exit.
|
|
When you run it as a daemon, you'll have to background the process (as shown below).
|
|
When you run it as a daemon, you'll have to background the process (as shown below).
|
|
|
|
|
|
== Try it out ==
|
|
## Try it out
|
|
|
|
|
|
You can use any application to test it out. Here, I'll use wget.
|
|
You can use any application to test it out. Here, I'll use wget.
|
|
|
|
|
|
{{{
|
|
```
|
|
# If you use privoxy with tor (recommended)
|
|
# If you use privoxy with tor (recommended)
|
|
export http_proxy=http://127.0.0.1:8118/
|
|
export http_proxy=http://127.0.0.1:8118/
|
|
# Otherwise, plain tor
|
|
# Otherwise, plain tor
|
|
# export http_proxy=http://127.0.0.1:9050/
|
|
# export http_proxy=http://127.0.0.1:9050/
|
|
wget http://www.google.com
|
|
wget http://www.google.com
|
|
}}}
|
|
```
|
|
|
|
|
|
You can also create/modify ~/.wgetrc to set this permanently.
|
|
You can also create/modify ~/.wgetrc to set this permanently.
|
|
|
|
|
|
= Make it permanent =
|
|
# Make it permanent
|
|
|
|
|
|
'''Note''': I haven't rebooted yet so this part hasn't been tested yet.
|
|
**Note**: I haven't rebooted yet so this part hasn't been tested yet.
|
|
|
|
|
|
Add this to your '''/etc/rc.local'''.
|
|
Add this to your **/etc/rc.local**.
|
|
|
|
|
|
{{{
|
|
```
|
|
# Tor-ized DNS to prevent DNS leaks. Runs as 'nobody' except for an escalated
|
|
# Tor-ized DNS to prevent DNS leaks. Runs as 'nobody' except for an escalated
|
|
# bind to port 53 by systrace.
|
|
# bind to port 53 by systrace.
|
|
if [ -f /opt/dsocks-1.2/tor-dns-proxy.py ]; then
|
|
if [ -f /opt/dsocks-1.2/tor-dns-proxy.py ]; then
|
... | @@ -295,28 +295,28 @@ if [ -f /opt/dsocks-1.2/tor-dns-proxy.py ]; then |
... | @@ -295,28 +295,28 @@ if [ -f /opt/dsocks-1.2/tor-dns-proxy.py ]; then |
|
/bin/systrace -a -c 32767:32767 /usr/local/bin/python2.3 /opt/dsocks-1.2/tor-dns-proxy >/dev/null
|
|
/bin/systrace -a -c 32767:32767 /usr/local/bin/python2.3 /opt/dsocks-1.2/tor-dns-proxy >/dev/null
|
|
2>&1 &
|
|
2>&1 &
|
|
fi
|
|
fi
|
|
}}}
|
|
```
|
|
|
|
|
|
= Other examples from dsocks author =
|
|
# Other examples from dsocks author
|
|
|
|
|
|
These are from his webpage, copied here for reference:
|
|
These are from his webpage, copied here for reference:
|
|
|
|
|
|
copy a file remotely thru a home SSH gateway, using an internal DNS name
|
|
copy a file remotely thru a home SSH gateway, using an internal DNS name
|
|
{{{
|
|
```
|
|
ssh -D 1080 home_gw
|
|
ssh -D 1080 home_gw
|
|
dsocks.sh scp /etc/motd internal_host:/tmp
|
|
dsocks.sh scp /etc/motd internal_host:/tmp
|
|
}}}
|
|
```
|
|
|
|
|
|
web surf anonymously thru Tor using Firefox (configured to use the Tor SOCKS proxy), with no DNS leaks (using the included Tor DNS proxy):
|
|
web surf anonymously thru Tor using Firefox (configured to use the Tor SOCKS proxy), with no DNS leaks (using the included Tor DNS proxy):
|
|
{{{
|
|
```
|
|
tor >/dev/null 2>&1 &
|
|
tor >/dev/null 2>&1 &
|
|
echo "nameserver 127.0.0.1" > /etc/resolv.conf
|
|
echo "nameserver 127.0.0.1" > /etc/resolv.conf
|
|
tor-dns-proxy.py >/dev/null 2>&1 &
|
|
tor-dns-proxy.py >/dev/null 2>&1 &
|
|
firefox
|
|
firefox
|
|
}}}
|
|
```
|
|
|
|
|
|
SSH anonymously thru Tor:
|
|
SSH anonymously thru Tor:
|
|
{{{
|
|
```
|
|
tor >/dev/null 2>&1 &
|
|
tor >/dev/null 2>&1 &
|
|
dsocks-torify.sh ssh example.com
|
|
dsocks-torify.sh ssh example.com
|
|
}}} |
|
``` |
|
\ No newline at end of file |
|
\ No newline at end of file |