What's new
By:

Integrating dnsmasq with TOR (I did it)

Fitz Mutch

Fitz Mutch

Senior Member
Run a separate instance of dnsmasq for Tor. Why? It can be configured to block 100% Windows Updates and Microsoft Telemetry for your Windows PCs who route all their traffic through the Tor network. And I no longer need a special hosts file on my Windows PCs to block Microsoft Telemetry, when routing everything through the Tor network.

I will post my scripts if you want to learn how.
 
/jffs/home/tor-dnsmasq-start.sh
Code: 
#!/bin/sh
dnsmasq_conf=/etc/dnsmasq.tor.conf
dnsmasq_dnsport=9953
tor_firewall_script="/jffs/home/tor-firewall-changes.sh"
dnsmasq_tor_restart=$1
this_script=$(readlink -f $0)
this_script_basename=$(basename $this_script)

create_dnsmasq_conf()
{
tor_dnsport=$(nvram get Tor_dnsport)
[ -z "$tor_dnsport" ] && tor_dnsport=9053
cat <<-EOF >"$dnsmasq_conf"
	pid-file=/var/run/dnsmasq.tor.pid
	port=$dnsmasq_dnsport
	user=admin
	bind-dynamic
	interface=br0
	no-resolv
	no-poll
	no-negcache
	cache-size=1500
	min-port=4096
	bogus-priv
	domain-needed
	#stop-dns-rebind
	server=127.0.0.1#$tor_dnsport
	EOF
}

add_extra_dnsmasq_conf()
{
  local extra_conf=$1
  if [ -f "$extra_conf" ]; then
    grep -qF "$extra_conf" "$dnsmasq_conf"
    [ $? -eq 1 ] && echo "conf-file=$extra_conf" >> "$dnsmasq_conf"
  fi
}

add_dnsmasq_ipset()
{
  local ipset_name="$1"
  local in_path="$2"
  local out_path="$3"

  ipset -N $ipset_name iphash > /dev/null 2>&1

  if [ ! -f "$out_path" ]; then
    while read domain_name
    do
      echo "ipset=/$domain_name/$ipset_name" >> "$out_path"
    done < "$in_path"
  fi

  add_extra_dnsmasq_conf $out_path
}

dnsmasq_start()
{
  local dnsmasq_cmd=/tmp/dnsmasq-tor
  local cmdline="$dnsmasq_cmd $@"
  local dnsmasq_pid=$(/bin/echo $(/bin/ps ww | /bin/grep -F "$cmdline" | /bin/grep -v grep) | /usr/bin/cut -f1 -d' ')
  if [ -z "$dnsmasq_pid" ]; then
    rm -f $dnsmasq_cmd
    ln -s $(which dnsmasq) $dnsmasq_cmd
    # run dnsmasq
    $cmdline
  fi

  # adjust the tor firewall rules to redirect DNS lookups
  $tor_firewall_script
}

# automatically adjust the tor firewall rules when the firewall is restarted
if [ -f "$tor_firewall_script" ]; then
  [ ! -f /jffs/scripts/nat-start ] && echo "#!/bin/sh" >> /jffs/scripts/nat-start && chmod a+rwx /jffs/scripts/nat-start
  grep -qF "$tor_firewall_script" /jffs/scripts/nat-start
  if [ $? -eq 1 ]; then
    echo >> /jffs/scripts/nat-start
    echo "source $tor_firewall_script" >> /jffs/scripts/nat-start
    echo >> /jffs/scripts/nat-start
  fi
fi

# run this script after the WAN interface comes up
if [ "$this_script_basename" != "wan-start" ]; then
  [ ! -f /jffs/scripts/wan-start ] && echo "#!/bin/sh" >> /jffs/scripts/wan-start && chmod a+rwx /jffs/scripts/wan-start
  grep -qF "$this_script" /jffs/scripts/wan-start
  if [ $? -eq 1 ]; then
    echo >> /jffs/scripts/wan-start
    echo "source $this_script" >> /jffs/scripts/wan-start
    echo >> /jffs/scripts/wan-start
  fi
fi

# generate dnsmasq.tor.conf with extras
create_dnsmasq_conf
add_dnsmasq_ipset mstracking /jffs/home/mstracking.txt /tmp/dnsmasq.mstracking.conf
add_extra_dnsmasq_conf /jffs/home/dnsmasq.ntp.conf
add_extra_dnsmasq_conf /jffs/home/dnsmasq.adblock.conf

[ "$dnsmasq_tor_restart" == "restart" ] && killall dnsmasq-tor && sleep 1
dnsmasq_start "--log-async -C $dnsmasq_conf"


/jffs/home/tor-firewall-changes.sh
Code: 
#!/bin/sh

# for each TOR client, replace the rule for the redirected TOR DNS port,
# this moves the redirected port 9053 (TOR) to 9953 (dnsmasq)
tor_dnsport=$(nvram get Tor_dnsport)
dnsmasq_dnsport=9953
line_nums=$(iptables -t nat -nL PREROUTING --line-numbers | grep -F "redir ports $tor_dnsport" | cut -d' ' -f1)
for line_num in $line_nums; do
  old_rule=$(iptables -t nat -S PREROUTING $line_num | cut -d' ' -f3-)
  new_rule=${old_rule/REDIRECT --to-ports $tor_dnsport/REDIRECT --to-ports $dnsmasq_dnsport}
  iptables -t nat -R PREROUTING $line_num $new_rule
done

# for each TOR client, prevent banned addresses from being routed through the Tor network
tor_transport=$(nvram get Tor_transport)
line_nums=$(iptables -t nat -nL PREROUTING --line-numbers | grep -F "redir ports $tor_transport" | cut -d' ' -f1)
lines_inserted=0
for line_num in $line_nums; do
  let line_num+=lines_inserted
  existing_rule=$(iptables -t nat -S PREROUTING $line_num | cut -d' ' -f3-)

  # this rule will block Windows Updates and Microsoft Telemetry, for TOR clients
  ipset_name="mstracking"
  if [ -f /jffs/home/${ipset_name}.txt ]; then
    ipset -N ${ipset_name} iphash > /dev/null 2>&1
    new_rule=${existing_rule/-j REDIRECT --to-ports $tor_transport/-m set --match-set ${ipset_name} dst -j RETURN}
    iptables -t nat -C PREROUTING $new_rule > /dev/null 2>&1
    [ $? -eq 1 ] && iptables -t nat -I PREROUTING $line_num $new_rule && let lines_inserted++
  fi

  #
  # TODO: add additional rules here
  #
done


/jffs/home/dnsmasq.ntp.conf
Code: 
### NTP servers - requires an NTP server running on the router
address=/ntp.ubuntu.com/192.168.1.1
address=/ntp.canonical.com/ntp1.canonical.com/ntp2.canonical.com/ntp3.canonical.com/ntp4.canonical.com/192.168.1.1
address=/time-a.timefreq.bldrdoc.gov/time-b.timefreq.bldrdoc.gov/time-c.timefreq.bldrdoc.gov/192.168.1.1
address=/utcnist2.colorado.edu/192.168.1.1
address=/nist1-chi.ustiming.org/nist1-lv.ustiming.org/nist1-ny.ustiming.org/192.168.1.1
address=/time.nist.gov/time-nw.nist.gov/time-a.nist.gov/time-b.nist.gov/time-c.nist.gov/time-d.nist.gov/192.168.1.1
address=/time.windows.com/192.168.1.1
address=/tick.usno.navy.mil/tock.usno.navy.mil/ntp.usno.navy.mil/ntp2.usno.navy.mil/tick.usnogps.navy.mil/tock.usnogps.navy.mil/192.168.1.1
address=/ntp.rokutime.com/192.168.1.1
address=/pool.ntp.org/0.pool.ntp.org/1.pool.ntp.org/2.pool.ntp.org/3.pool.ntp.org/192.168.1.1


/jffs/home/dnsmasq.adblock.conf
Code: 
### Ad block
address=/.ozvision.ozsn.net/.flirservices.com/0.0.0.0
address=/.dahuap2pcloud.com/.easy4ipcloud.com/0.0.0.0
address=/services.gfe.nvidia.com/services-cdn.gfe.nvidia.com/0.0.0.0


/jffs/home/mstracking.txt
Code: 
windowsupdate.microsoft.com
update.microsoft.com
download.windowsupdate.com
download.microsoft.com
wustat.windows.com
ntservicepack.microsoft.com
stats.microsoft.com
v4.windowsupdate
officeupdate.microsoft.com
office.microsoft.com
crl.microsoft.com
dns.msftncsi.com
ipv6.msftncsi.com
msftncsi.com
www.msftncsi.com
a.ads1.msn.com
a.ads2.msads.net
a.ads2.msn.com
a.rad.msn.com
a-0001.a-msedge.net
a-0002.a-msedge.net
a-0003.a-msedge.net
a-0004.a-msedge.net
a-0005.a-msedge.net
a-0006.a-msedge.net
a-0007.a-msedge.net
a-0008.a-msedge.net
a-0009.a-msedge.net
ac3.msn.com
adnexus.net
adnxs.com
ads.msn.com
ads1.msads.net
ads1.msn.com
aidps.atdmt.com
aka-cdn-ns.adtech.de
a-msedge.net
apps.skype.com
az361816.vo.msecnd.net
az512334.vo.msecnd.net
b.ads1.msn.com
b.ads2.msads.net
b.rad.msn.com
bs.serving-sys.com
c.atdmt.com
c.msn.com
cdn.atdmt.com
cds26.ams9.msecn.net
choice.microsoft.com
choice.microsoft.com.nsatc.net
compatexchange.cloudapp.net
corp.sts.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
cs1.wpc.v0cdn.net
db3aqu.atdmt.com
df.telemetry.microsoft.com
diagnostics.support.microsoft.com
ec.atdmt.com
fe2.update.microsoft.com.akadns.net
feedback.microsoft-hohm.com
feedback.search.microsoft.com
feedback.windows.com
flex.msn.com
g.msn.com
h1.msn.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
lb1.www.ms.akadns.net
live.rads.msn.com
m.adnxs.com
m.hotmail.com
msedge.net
msnbot-65-55-108-23.search.msn.com
msntest.serving-sys.com
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
preview.msn.com
pricelist.skype.com
rad.live.com
rad.msn.com
redir.metaservices.microsoft.com
reports.wes.df.telemetry.microsoft.com
s.gateway.messenger.live.com
s0.2mdn.net
schemas.microsoft.akadns.net
secure.adnxs.com
secure.flashtalking.com
services.wes.df.telemetry.microsoft.com
settings-sandbox.data.microsoft.com
settings-win.data.microsoft.com
sls.update.microsoft.com.akadns.net
sqm.df.telemetry.microsoft.com
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
static.2mdn.net
statsfe1.ws.microsoft.com
statsfe2.update.microsoft.com.akadns.net
statsfe2.ws.microsoft.com
survey.watson.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
telemetry.appex.bing.net
telemetry.microsoft.com
telemetry.urs.microsoft.com
view.atdmt.com
vortex.data.microsoft.com
vortex-bn2.metron.live.com.nsatc.net
vortex-cy2.metron.live.com.nsatc.net
vortex-sandbox.data.microsoft.com
vortex-win.data.microsoft.com
watson.live.com
watson.microsoft.com
watson.ppe.telemetry.microsoft.com
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net
wes.df.telemetry.microsoft.com
 
Last edited:
You must log in or register to reply here.

Similar threads

C
I want to learn and would appreciate some help.
Replies
15
Views
1K
Currently Studying
C
J
Full new network
Replies
11
Views
750
Tech9
Tech9
W
GT-AXE1600 Firewalla Gold
Replies
8
Views
2K
woodgray
W
N
RT-AX86U-Pro, WAN disconnect every 36 hours
2
Replies
26
Views
5K
Nick24
N
J
Solved OpenVPN clients can't resolve custom domains defined in dnsmasq config
Replies
2
Views
2K
jkbach
J
Similar threads
Thread starter Title Forum Replies Date
David Cavalli dnsmasq.conf.add not working on Guest Network Pro clients Asuswrt-Merlin 56
W dnsmasq config files constrained to Yazfi interface? Asuswrt-Merlin 2
C Problems with dnsmasq scripts and manual configuration Asuswrt-Merlin 28
J Does dnsmasq-x.conf.add in jffs/configs/ still work if your VLAN has the same subnet as the Primary LAN? Asuswrt-Merlin 5
postoronnim-v dnsmasq.log file Asuswrt-Merlin 3
T Critical Cache Poisoning Vulnerability in Dnsmasq Asuswrt-Merlin 1
T Unstable v6plus connection on the RT-BE92U (dnsmasq?) Asuswrt-Merlin 0
manjotsc Solved DNS Access Control (DNSMASQ) Asuswrt-Merlin 3

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,865 (members: 15, guests: 1,850)
Back
Top