Recently I posted criticism of Mozilla’s new DNS over HTTPS feature given they disabled they primary security functionality of it. The user isn’t even warned and can be secretly spied on. This blog post details how to use Tor as your System DNS resolver and has instructions for each operating system plus instructions for disabling Firefox’s dangerous DNS over HTTPS implementation. If you’d like to read why Firefox’s implementation of DNS over HTTPS is harmful, you may read my previous blog post.
Note for Firefox Users
By default Mozilla has DNS over HTTPS enabled on networks that do not request the feature to be disabled. Visit about:config
and set network.trr.mode
to 5
to completely turn off the feature. I do not trust Mozilla’s implementation and you shouldn’t either.
Why not use Tor Browser?
Where possible you should download Tor Browser and use it instead. Unfortunately, many websites block the Tor network or show them a large number of CAPTCHAs (imagine having to check “I’m not a robot” every few minutes, that’s the reality for many Tor Browser users).
This alternative solution at least doesn’t disable DNS Security when network administrators are uncomfortable and website owners can still see your real IP Address reducing the amount of CAPTCHAs you will see as a result of using this feature. I will emphasize that it is not as private as the Tor Browser Bundle, please keep this in mind if you use this approach.
How to use Tor as your System DNS Resolver on Windows 10
At this time the tooling available on Windows 10 is not in a state where I’m comfortable writing steps out for as I am unsure on several of the security implications. As a temporary workaround I would recommend buying a Raspberry Pi, setting up Linux and a DNS resolver on it and following the steps below for using Tor on Linxu.
How to use Tor as your System DNS Resolver on macOS
Step 0) Install the Homebrew Package Manager
Open the terminal app on macOS and run the following command /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
follow the prompts and let the package manager install itself. This may take a few minutes to download and configure everything as Homebrew relies on Xcode developer tools which can be quite large.
Step 1) Install the Tor and DNSMasq Homebrew Packages
To get started you will need to run the following two commands: brew install tor
and brew install dnsmasq
. This will install special packages for Tor and DNSMasq (a special DNS Proxy)
Step 2) Enable Tor’s DNS Resolver
Open /usr/local/etc/torrc
with a text editor of your choice. I recommend running nano as root to avoid any permission issues. So run sudo nano /usr/local/etc/torrc
and add the line DNSPort 9053
to the bottom. Then run brew services restart tor
to restart the Tor service and reload the configuration. This will also make sure the resolver is enabled.
Step 3) Configure DNSMasq
You will need to configure DNSMasq to send your DNS Queries to the Tor DNS Resolver as it runs on a non-standard port. To do this run nano /usr/local/etc/dnsmasq/dnsmasq.conf
and add the following lines to the bottom of the file. no-resolv
to disable fetching DNS Servers from /etc/resolv.conf
and /etc/hosts
and server=127.0.0.1#9053
. Save the file and run sudo brew services restart dnsmasq
(since dnsmasq runs on a privileged port (a port below 1024), it must be run as root or a user with special permissions, this is the standard configuration for dnsmasq on macOS Systems).
How to use Tor as your System DNS Resolver on Linux
Configuring Tor as your System DNS Resolver on Linux is a bit complex. These instructions only have Debian and Ubuntu in mind. If you use a different Linux distribution you’ll need to do your own research to get things working.
Install Tor
For security reasons you should always download Tor from the official repositories. The version that Ubuntu/Debian apt repos have is outdated at best. To install and configure Tor please run the following commands:
- Finally Open
/etc/torrc
with a text editor of your choice. I recommend running nano as root to avoid any permission issues. So runsudo nano /etc/torrc
and add the lineDNSPort 9053
to the bottom. Then runsudo service tor restart
to restart the Tor service and reload the configuration. This will also make sure the resolver is enabled.
Install dnsmasq to accept requests and forward them to the Tor DNS Resolver
You will need to configure DNSMasq to send your DNS Queries to the Tor DNS Resolver as it runs on a non-standard port. To do this run nano /etc/dnsmasq/dnsmasq.conf
and add the following lines to the bottom of the file. no-resolv
to disable fetching DNS Servers from /etc/resolv.conf
and /etc/hosts
and server=127.0.0.1#9053
. Save the file and run sudo service dnsmasq restart
. I recommend binding to sepcific interfaces and using the IP Address ``127.0.0.54
to avoid conflicts with other services running on your machine.
Remove systemd-resolved and have network manager use dnsmasq instead
Newer versions of Ubuntu have integrated systemd-resolved
a built in caching DNS Resolver into systemd
. This can cause problems with our DNS setup so it’s best to disable it where possible. These instructions are adapted from an answer on AskUbuntu. I’ve tested them on my personal computer but didn’t write/research them. Be aware that this will break some corporate VPN clients (see LaunchPad issue).
-
Run
sudo systemctl disable systemd-resolved
andsudo systemctl stop systemd-resolved
in a terminal. -
Next run
sudo nano /etc/NetworkManager/NetworkManager.conf
and add the following line after the[main]
section:dns=default
. -
Run
rm /etc/resolv.conf
and thensudo systemctl restart NetworkManager
. Don’t worry as this will create a newresolv.conf
file.
Final Steps
Be sure to go in network settings and set your DNS Resolver to 127.0.0.54
and then things will work as expected.