Tor and DNS traffic

spaceman · 3 May 2021 17:56

I’m running a fairly plain configured ipfire, and recently enabled the Tor plugin and configured it - torrc below:

ControlPort 9051
ExitPolicyRejectPrivate 1
ORPort 9031
DirPort 9030
Nickname …
ContactInfo …
ExitPolicy reject *:53
ExitPolicy accept :
RelayBandwidthRate 8192 KB
RelayBandwidthBurst 12800 KB

I also have a unbound configured for forwarding my internal DNS traffic (DoT).

When I have Tor running, and only when its running I get a myriad of log entries in /var/log/messages:

May 3 17:27:04 ipf unbound: [1401:0] error: SERVFAIL <HeAvYpLaYErS.cOm. A IN>: all the configured stub or forward servers failed, at zone .
<lots of similar messages snipped, as I’m a new user>

Should traffic which seems to originate from Tor hit my local unbound?
I verified with tcpdump DNS traffic is not from my LAN nor arriving on red0 interface.

joedoe47 · 15 June 2021 01:51

Hi tor enthusiast here. It sounds like unbound is just not able to find a particular site/server. It could be possible a site you are accessing is trying to request a domain that is inaccessible to you for any number of reasons. (may be the domain for the ad expired, may be the VM hosting the domain went down, may be your ISP or firewall is blocking that known “bad reputation” IP if you have IDS enabled on RED or block IPs some other way)

I also get these errors in unbound from time to time with or without tor running. I just installed tor on ipfire yesterday. This is an unbound entry of mine from a week ago IDK what the heck that server is.

08:56:50	unbound: [7477:0]	error: SERVFAIL <sy [dot]eu[dot]angsrvr[dot]com. A IN>

It just means that unbound was unable to get a response from an authoritative DNS (eg. google dns, cloud flare dns, etc) for the IP associated with that domain.

Unless tor is configured as an exit node or if you have a hidden service activated where you expose say like your unbound DNS over TLS port it won’t actually send or do DNS requests on your network.

However, if you or someone on your LAN use tor as a client you might see tor DNS requests on unbound logs if your tor browser is mis-configured or out of date.

Eg. if I use a browser that does not have DNS over TLS or DNS over HTTPS (lets pretend I am using lynx or firefox 25) and open my “custom tor browser” and enter “google” you might see the DNS request for “google” show up in places you don’t want it to show up. (mostly my ISP and my router’s logs)

I hope my long winded answer has helped you understand and wasn’t too much too fast. (I tend to do that)

Source: