DNSCrypt + Tor Transparent Proxy (resolver-proxy)

[Escape-source]

Setting up a Tor Transparent Proxy is a relatively straightforward way to route all internet traffic through the Tor network However, this setup has some vulnerabilities, particularly with regards to DNS.

One issue is that the DNSPort cannot achieve stream isolation due to its limitations. This means that DNS servers remain the same across different circuits. I've done several tests to confirm this. To overcome this, DNS requests need to be routed through the Tor socks proxy.

Using solely DNSCrypt would also be an issue, since you would effectively exit the crowd. I've attempted to combine DNSCrypt with other options to solve this issue, but so far, I couldn't prevent DNSCrypt from resolving DNS requests before redirecting them.

DNSCrypt has the proxy = 'socks5://127.0.0.1:9050' option, which runs as an alternative to DNSCrypt Anon Relays, and more specifically for DoH setups, so it comes with socks compatibility. To use a proper (and safe) Tor Transproxy, it would be incredibly helpful to introduce a resolver-proxy = 'socks5://127.0.0.1:9050' option, which would route queries through the Tor proxy after passing through its protocol servers.

Query -> Anonymized Relay -> DNS Server -> Tor Proxy

Knowing how DNSCrypt uses UDP and TCP, it could be better to introduce a resolver-force-tcp option, as well. This would drop UDP traffic only before reaching the proxy.

Note: I'm fully aware that blocklists will no longer work like this, but I still believe it's an important feature to add.

[lifenjoiner]

The expression "Proxy DNS when using SOCKS v5" is misleading, although it is from Firefox - upstream of Tor browser.
It actually means the browser will request the proxy to connect to a website by domain name, rather than by IP. In other words, there is no DNS query at all. The exit node initiates the DNS query and then connects to the server by IP.
Tor focuses on obscuring and mimicking to to improve anonymity, while reducing the number of ways (includes DNS leak) it can be compromised.

While the anonymity in dnscrypt-proxy is for the DNS providers. We achieve unidentified by the same provider to avoid being tracked and analyzed.

[Escape-source]

In a Tor Transparent Proxy setup, removing the browser and letting DNSCrypt do the hostname lookup itself allows the user to hide in the Tor network. Any functionality provided by the Tor Browser can be replicated using the Tor implementation if needed. Nevertheless, my suggestion here is the final step in creating a safe Tor Transparent Proxy for my requirements, which should properly isolate the DNS servers between destinations.

DNSCrypt should provide anonymity not just for DNS providers, but also in this scenario.

[Escape-source]

Hello, @jedisct1! As a frequent contributor to this repository, could you share how viable my suggestion is? I'm open to any question you might have about it.

[jedisct1]

I don't understand what problem you are trying to solve.

[Escape-source]

When using a Tor Transparent Proxy, all internet traffic is routed through the Tor network, which helps to anonymize our activities. However, there's a weakness in how DNS requests are handled. The DNSPort in Tor can't achieve "stream isolation", meaning that all DNS requests go to the same DNS servers, no matter which Tor circuit we’re using. This could potentially allow our activities to be tracked across different destinations using those servers.

To address this issue, I'd like DNSCrypt to handle forwarding the queries to Tor's SocksPort. This would allow Tor to provide stream isolation using the "IsolateSocksAuth" flag, adding an extra layer of protection.

This is how it would look like for the DNSCrypt protocol:
Query -> Anonymized Relay -> DNS Server -> Tor Socks Port

Is there anything else you'd like me to explain?

[jedisct1]

Thank you for the detailed write-up, but there seems to be some misunderstanding regarding how DNS and Tor interact in the setup you're describing.

As pointed out by @lifenjoiner , the concept of "Proxy DNS when using SOCKS v5" is often misunderstood. This option doesn’t mean that DNS requests are routed through Tor in the way you're imagining. Instead, it allows the proxy to resolve the domain name directly—meaning that no DNS query is performed by the client itself. The Tor exit node handles both the DNS query and the subsequent connection to the target IP, which mitigates the risk of DNS leaks within the Tor network.

Tor’s focus is on hiding the origin of the traffic and mimicking standard network behavior to maintain anonymity. As a result, DNS leaks are inherently minimized by its design. Introducing DNSCrypt into this setup, while useful for DNS provider anonymity, may not provide the kind of stream isolation you are aiming for in this context. DNSCrypt anonymizes queries relative to the DNS provider, but its primary use case is outside of the Tor network, where it helps obscure your activity from centralized DNS services.

It seems like you're trying to apply two distinct privacy mechanisms—Tor and DNSCrypt—in ways that don't necessarily align with each other's intended goals. Tor already protects against the kind of DNS leakage you're worried about by handling DNS resolution at the exit node, making DNSCrypt unnecessary in this case.

I hope this clarifies the confusion and helps realign the setup to better meet your privacy goals. If you’re still concerned about DNS leakage, reviewing Tor’s configuration options (e.g., IsolateSocksAuth) might provide more clarity on how Tor manages stream isolation for DNS and overall traffic.

[Escape-source]

You're describing a functionality that a Tor Transparent Proxy doesn't inherently have, since it relies on resolving DNS using the DNSPort, of which weakness I outlined in my previous posts. This is not Tor Browser we're talking about, so it doesn't rely on the SocksPort, by design.

Regarding the idea that different methods can have conflicting goals, I've given this a lot of thought before starting this discussion. While there's some truth to it, I believe there's also a bit of a misconception.

For instance, DNSCrypt is designed to encrypt DNS requests, whereas Tor resolves them, albeit not always correctly. However, this also means that DNSCrypt could potentially be used to anonymize DNS activity within the Tor network by forwarding to the SocksPort, effectively replacing the flawed DNSPort mechanism.

@Gedsh, the creator of the InviZible Android app could provide some insight into this, since he created his app around a DNSCrypt+Tor setup. If not, I'd at least like to warn him about this, as the app is widely used by a large community of users and is affected by the same problem.

[jedisct1]

Thanks for your follow-up, but there still seems to be a fundamental misunderstanding about how a Tor Transparent Proxy and DNS resolution work together.

When you set up a Tor Transparent Proxy, all traffic, including DNS, is routed through the Tor network. Unlike the Tor Browser, which uses the SocksPort directly to handle DNS and connection requests, the Transparent Proxy setup uses the DNSPort to resolve DNS requests. However, this does not introduce the kind of vulnerability you're concerned about.

The key point is that in a Transparent Proxy, DNS leaks are already mitigated by Tor's design because DNS queries go through the exit node. While you’re correct that the DNSPort doesn’t offer "stream isolation" by default, the real-world risk this poses is low, as the DNS queries are still anonymized by Tor itself. You’re essentially trying to fix a problem that doesn’t exist in this context. Tor has been designed to handle these concerns without needing additional layers like DNSCrypt.

As for using DNSCrypt to forward to the SocksPort in a Transparent Proxy, that setup introduces unnecessary complexity and potential points of failure without adding any tangible security benefit. DNSCrypt is great for encrypting DNS queries in non-Tor environments, where DNS servers might track or profile users, but once traffic is inside the Tor network, DNS resolution happens at the exit node, removing the need for DNSCrypt entirely.

Regarding the InviZible app, while it does combine DNSCrypt and Tor, it’s worth noting that it’s focused on a mobile environment, where different network behaviors and constraints might apply. However, that use case doesn’t necessarily translate to a standard Tor Transparent Proxy setup, and Gedsh’s solution is tailored for a different context. In a typical Transparent Proxy, the standard Tor approach is robust enough to protect against DNS leaks.

I’d recommend reviewing Tor’s documentation on DNS handling in Transparent Proxy setups to clarify how it already addresses DNS leak concerns. There’s no need to reinvent the wheel or stack tools that serve different purposes when Tor is already designed to handle DNS resolution safely within its network.

[Escape-source]

The researchers conducted various experiments that showed how certain (major) adversaries could control a significant portion of DNS requests leaving the Tor network. For instance, they found that Google handled about 33% of all DNS requests, with peaks reaching over 40%.

This is cited from my response in #2685. It doesn't even account for how many exit nodes are run on Google servers or how many cloudflared websites the user goes to We're facing sophisticated algorithms that can easily correlate traffic patterns to de-anonymize users. Thus is the world we currently live in, so we can't allow for any vulnerability. The DNSPort is fundamentally flawed in this context because it lacks knowledge of the destinations. Unlike the SocksPort, which has a clear understanding of the traffic it's handling, the DNSPort blindly uses the same dns server across multiple circuits.

By implying DNS leaks, I'm not referring to the regular "it leaked my real ISP server" context. Whereas Tor Browser (SocksPort) correctly isolates DNS on a per-destination level, thus having different servers on Destination A compared to Destination B, the DNSPort can't do that, by design.

Regarding the InviZible app, while it does combine DNSCrypt and Tor, it’s worth noting that it’s focused on a mobile environment, where different network behaviors and constraints might apply.

It is comprised of the same functionality used on a desktop setup. While some behaviors might be different, it still uses the DNSPort. In any regard, I'm eagerly waiting to hear the creator's response to this. He contributed to this repository at some point too.

---

I strongly encourage everyone reading this to take any Tor Transparent Proxy which uses the DNSPort and go through the following steps:

1. Turn off your firefox browser's inherent DNS resolver, in about:preferences#privacy or set network.trr.mode to 5 in about:config.
2. Go to these websites:
   https://browserleaks.com/dns
   https://mullvad.net/en/check
   https://dnsleaktest.com

the real-world risk this poses is low, as the DNS queries are still anonymized by Tor itself

3. Take a note of all DNS servers. They will be anonymized by the DNSPort, however you might have the unpleasant surprise to see how the same ones repeat on all 3 websites.

If someone can completely mitigate this, I will promptly close this discussion. Otherwise, I'll keep it a bit longer. After all, I could not find any setup that solves this, yet the DNSPort is still unknowingly used by a large community.

[jedisct1]

Thank you for your detailed response. I understand your concerns about sophisticated traffic analysis and the use of cloud services like Google and Cloudflare to de-anonymize users. However, I believe there’s still some misunderstanding about how the DNSPort and SocksPort function in a Tor Transparent Proxy.

1. DNSPort and Stream Isolation
   The primary issue you’ve raised is that the DNSPort doesn’t perform stream isolation like the SocksPort, and therefore might leak information across multiple circuits. While it’s true that the DNSPort doesn’t inherently isolate streams on a per-destination level, this does not lead to DNS leaks in the conventional sense.

In a Tor Transparent Proxy setup, all DNS queries are routed through Tor, meaning the queries are resolved by the exit node. Even if the same DNS servers appear across different circuits, they don’t reveal your IP or directly correlate your traffic across destinations. The Tor network itself anonymizes the traffic before it ever reaches the DNS resolver.

2. Correlation Risk
   You mention that sophisticated algorithms can correlate traffic patterns to de-anonymize users. While traffic correlation is a real risk, DNSPort behavior isn't typically the main vector for such attacks. The main concern in traffic correlation attacks comes from timing analysis and the size of traffic, which isn’t directly mitigated by using DNSCrypt or attempting to isolate DNS servers.

Even if DNS queries hit the same server, the traffic patterns themselves are obfuscated by Tor. More importantly, running multiple circuits through the same DNS server does not reveal identifying information as long as the exit node is the one performing the resolution, since the DNS query itself is not tied back to the user.

3. Testing with Browser Leaks
   I appreciate the specific testing steps you’ve provided using browserleaks.com, Mullvad, and DNS Leak Test. However, these tests don’t reveal anything about the user’s real IP or other identifiable information—they merely show the DNS resolvers used by the exit nodes. This repetition is not an inherent vulnerability but simply a function of how exit nodes handle DNS queries.

While it's understandable that seeing the same DNS server across different tests could raise concerns, it's important to distinguish between exit node behavior and DNS server isolation. Tor's security model is designed to protect users from de-anonymization by ensuring that DNS resolution happens at the exit node, not before.

4. No Perfect Solution in a Transparent Proxy
   I understand your goal of achieving full DNS isolation, but combining DNSCrypt with a Tor Transparent Proxy won't address the underlying issue of traffic correlation. DNSCrypt encrypts the DNS queries between you and the resolver, but in a Tor setup, that would only be useful if you weren’t relying on Tor exit nodes for DNS resolution. Tor already anonymizes traffic, so adding DNSCrypt on top introduces unnecessary complexity without adding real-world security benefits. It would not change the fact that the same DNS server could be used across circuits, as this is dictated by the exit node’s behavior.

5. Community Feedback
   I appreciate your willingness to keep this discussion open and involve others, but the behavior you’ve outlined with DNSPort and the same DNS servers appearing across different tests is not an inherent flaw in Tor's design. It’s simply how exit nodes resolve DNS queries. I think it’s important for the broader community to understand this distinction: the risk of correlation attacks doesn’t stem from which DNS server is being used, but from traffic patterns and timing.

Conclusion
To summarize:

The DNSPort doesn’t isolate DNS streams, but this doesn’t expose you to DNS leaks as long as traffic is anonymized by Tor.
Correlation attacks are more related to traffic analysis than DNS resolution patterns.
The same DNS servers appearing across tests isn’t a critical vulnerability, but rather a reflection of Tor’s use of exit nodes.
Adding DNSCrypt won’t fix this issue, as it’s not designed for use within the Tor network, where DNS resolution is already handled by the exit nodes.
If the core issue remains the appearance of repeated DNS servers across circuits, this is an unavoidable aspect of exit node behavior in Tor. That said, I’m happy to hear from others in the community if they have found a setup that fully isolates DNS servers across destinations in a Transparent Proxy.

Thanks again for raising these concerns—discussions like this are crucial for continuing to improve the privacy and security of Tor and its users.

[Escape-source]

I appreciate your willingness to take part in this discussion. While not solving the repeated DNS servers across circuits per se, I still believe it's an adequate answer. However, this strongly implies that Tor Transparent Proxies are generally unsafe in this regard. It would be great to promote this discussion from now on, since the community at large is still unaware of such findings.

[Gedsh]

@Escape-source

Regarding the InviZible app, while it does combine DNSCrypt and Tor, it’s worth noting that it’s focused on a mobile environment, where different network behaviors and constraints might apply.

@jedisct1 is absolutely right. Android uses a centralised approach for handling DNS https://source.android.com/docs/core/ota/modular-system/dns-resolver So there is no way to separate DNS traffic from different apps. All DNS queries on android have uid0 or uid1051 depending on the android version. In this case, there is no way to use IsolateSocksAuth properly system-wide. You should only use the Tor browser if your threat model is sensitive to the lack of DNS stream isolation.

[Escape-source]

I generally share your views on the Tor Browser; however, it does have its problems. Unless you conduct regular audits yourself, especially due to its automatic updates, it's like you're using a black box.

Regardless, it's important to warn your community, preferably through your app, about the limitations of the DNSPort. Encourage them to use the SocksPort settings on a per-app basis, where applicable.

Additionally, do you know why the default settings of Orbot completely separate DNS traffic? Is it using the SocksPort for DNS requests?

[Gedsh]

the limitations of the DNSPort

In the case of android, this is primarily a system limitation, not a Tor issue. Android is not designed to handle such sensitive threat models. You need a more controlled environment specifically designed for this purpose, such as Tails or Whonix.

do you know why the default settings of Orbot completely separate DNS traffic?

Orbot does not have stream separation for different apps at all. guardianproject/orbot#71 Make sure your tests are correct.

[Escape-source]

Whonix and Tails might be using some wrapper logic to do it, while I'm actively looking for a DIY nftables solution. Tails, for one, uses different socks ports for each app, if I remember right. In any case, I doubt they use the DNSPort.

Make sure your tests are correct.

Yes, it seems the servers repeat as well when using Orbot. I haven't carefully checked the first time, I presume.

[lifenjoiner]

No FUD. Proof please!
Studies have their conditions. Things may change after years ...

Eating noodles with a fork is terrible, but that doesn't mean the fork or the noodles are terrible.

[lifenjoiner]

USING TOR AS A TRANSPARENT PROXY IS HIGHLY DISCOURAGED!
Archived official docs can be found at: https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy

[Escape-source]

Your reasoning is nothing but a crude appeal to consequences fallacy and I discourage anyone to encourage this behavior. Moreover, your position is self-contradictory, as you aknowledge that "Things may change after years", yet you're promoting an incredibly outdated article.

Not only that, but albeit me using the term "Transparent Proxy", this feature would have endorsed the principle of "Isolating Proxy", a less known term in the Tor landscape, which conveys a safer configuration.

Additionally, the author's warning against attempting this configuration without proper knowledge is clear: "DO NOT ATTEMPT IT UNLESS YOU KNOW WHAT YOU ARE DOING". Cherry-picking the article and presenting it as an endorsement of unsafe behavior is a misinterpretation of the author's intent, and also a blatant attempt at contextomy. A bit of critical thinking reveals that, despite the author's caution against "Transparent Proxies", likely to prevent ignorant users from trying without adequate knowledge, they nonetheless provide examples of configurations.

I could go nitpicking it on and on and provide my share of articles, but they wouldn't provide any practicality to the matter at hand. What started as a "feature request" has evolved into a simple conversation on the matter, with people who possess greater knowledge than me when it comes down to handling DNS.

[lifenjoiner]

OK, let's be frankly.
You are really stubborn.

DNS leak

+

This is how it would look like for the DNSCrypt protocol:
Query -> Anonymized Relay -> DNS Server -> Tor Socks Port

-->

the author's warning against attempting this configuration without proper knowledge is clear: "DO NOT ATTEMPT IT UNLESS YOU KNOW WHAT YOU ARE DOING".
Cherry-picking the article and presenting it as an endorsement of unsafe behavior is a misinterpretation of the author's intent, and also a blatant attempt at contextomy.

I doubt you know exactly what you are doing! That's why I emphasize the danger.

I'm not just answering your questions, I'm also showing the most important things for most people. Also, I've provided the sources. Just read the details.

Anyway, I've said all I have to say.