Moritz Finke · Blog

DoHoTor

July 25, 2021

Find the code on GitHub!

People are increasingly concerned about their privacy and it is a good sign that, today, most browser traffic is encrypted. However, there is one aspect that is easily missed: the Domain Name System (DNS) uses, by default, UDP and TCP port 53 in a rather transparent manner. This allows everyone listening at a user's internet traffic to retrieve the domains they visit.

With DoHoTor, I present an extremely easily deployable DNS server that provides ultimate anonymity.

DoH: DNS over HTTPS

We do not want to reveal the domain names of the web servers we interact with. So what can we do? The solution is simple: route the DNS queries over TLS, i.e. encrypt all requests and answers! Although relatively new, e.g. Firefox users can already activate DoH functionality in their browser. Be aware, however, that it is not enabled by default.

With DoH, no one listening to our traffic can obtain our DNS queries. However, the DoH service provider still knows about them and can connect those queries to us, the user. Hence, we have only achieved half anonymity. Now, what do we have to do, to achieve full anonymity? The answer is easy – we use the onion router network, TOR.

DoHoTor

DoHoTor routes DNS traffic over HTTPS via the TOR proxy. This way, traffic is encrypted and our identity is untraceable: not even the DoH server knows about us. I got the idea to develop DoHoTor after I listened to a talk by Alek Muffet, in which he reported from his practical experience of using DoH over Tor. My implementation differs only little from Alek's dohot.

DoHoTor chains three tools together: dnsmasq, dnscrypt-proxy, and the Tor proxy. Dnsmasq gives us great flexibility in configuring our public DNS service, while dnscrypt-proxy manages HTTPS traffic and offers the required option to connect over SOCKS5 proxies (i.e., the type of proxy Tor offers).

Flowchart of the way DOHOTOR connects to the Tor network

DoHoTor is built as Docker image, guaranteeing the easiest way of deployment. It also offers a way to add personal DNS entries that override public ones.

Installation

  1. Install Docker according to your system.
  2. Create a hosts file (touch hosts) and optionally fill it with additional DNS entries in the format <ip address> <domain name>.

  3. Either run the docker image as container or as service.

    To run the image as a docker container, use this command: 

    docker run -p "53:53/udp" -p "53:53/tcp" --name "DoHoTor" \
--mount type=bind,src=/absolute/path/to/hosts,dst=/app/hosts \
abzicht/dohotor:latest

    To run the image as a docker service, complete the following steps.

    First, prepare the file docker-stack.yml with the following content: 
    version: '3.7'
services:
dohotor:
image: abzicht/dohotor:latest
configs:
  - source: hosts_config
    target: /app/hosts
ports:
  - "53:53/udp"
  - "53:53/tcp"
configs:
hosts_config:
name: hosts_config-0
file: ./hosts
    Then, deploy the service on your docker swarm: 
    docker stack deploy --compose-file docker-stack.yml dohotor

Testing

Test the deployed service with tools like dig: 

dig @0.0.0.0 weather.com
Dig will answer with a reply like this: 
; <<>> DiG 9.16.18 <<>> @0.0.0.0 -p 53 weather.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25057
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;weather.com.                   IN      A

;; ANSWER SECTION:
weather.com.            4799    IN      A       184.26.114.114

;; Query time: 1779 msec
;; SERVER: 127.0.0.1#53(0.0.0.0)
;; WHEN: Do Jul 22 21:34:55 CEST 2021
;; MSG SIZE  rcvd: 67
It took 1779 ms to complete the detailed request. The domain weather.com then lies in the dnsmasq cache, reducing the query time at the second time.

Usage

There are multiple options to use DoHoTor in a local network. Either run it on the personal laptop or configure your end-devices or the router to point DNS traffic to a local server running DoHoTor.