basile wrote: > > Hi everyone, > > I'd like to set up an situation where users on a LAN can optionally > reroute just their DNS queries through tor. What I have is a gateway > router where bind9 runs on udp 53 (caching only) and tor uses DNSPort > 5300. I'd like the users to be able to "do something" on their local > computers which switches DNS queries to the router on port 5300 rather > than 53. Any suggestions on a best practices? Here's what I've tried: > > <snip>
If you have an unused LAN address that is guaranteed to get routed to your gateway for forwarding, then I *think* the following should work. Set your gateway up to redirect any packets sent to this address on port 53 to port 5300 on the gateway (I am just parroting what I think you said above w/o having any experience about Tor's DNS capabilities; please adjust details for any misunderstanding I have). A user would then use the normal gateway address for normal DNS. Using the "new" address would cause the request to go to 5300. I.e. this changes the problem from altering the desitnation port to altering the destination address. So the problem then is providing a mechanism for the user to change the entry in resolv.conf > 3) I tried redirection with iptables on the local host but I can't > get that to work --- I'm not sure its possible. ... I would think that should work. (I've done similar DNATing -- with DNS even! :-) Something like: iptables -t nat -A OUTPUT -p udp --dport 53 \ -j DNAT --to-destination $router_ip:5300 And then you need to make sure you don't have any filtering rules blocking that. And you could add an analogous rule for tcp/53 if you feel you need it.

