NSS module for .onion DNS name resolution
From a usability point of view it'd be great to always have .onion addresses resolved via Tor - system wide, by default. It'd make .onion addresses a first-class citizen in the overall web browsing experience.
The idea is to provide a libnss-tor module to by default always resolve .onion addresses via Tor, with no need for 'torify', proxy configurations within an application etc. Similar to what libnss-mdns does for .local addresses for instance.
Thanks to this I came up with the following setup to achieve the same thing:
- torrc with 'AutomapHostsOnResolve 1', 'DNSPort 53535' and 'TransPort 9040'
- dnsmasq with a 'server=/onion/127.0.0.1!#53535'
- iptables -t nat -A OUTPUT -p tcp -d 127.192.0.0/10 -j REDIRECT --to-ports 9040
- 'nameserver 127.0.0.1' in /etc/resolv.conf
However having a libnss-tor for that would remove the iptables/dnsmasq part, which should make it way more convinient for most people. It'd also make the mapaddress option in the torrc obsolete, I think.
Further things to consider:
- Security implications?
- Does something like libnss exist for other operating systems, too?
Trac:
Username: tux