Integrating dnsmasq with TOR (I did it)

[Fitz Mutch]

Run a separate instance of dnsmasq for Tor. Why? It can be configured to block 100% Windows Updates and Microsoft Telemetry for your Windows PCs who route all their traffic through the Tor network. And I no longer need a special hosts file on my Windows PCs to block Microsoft Telemetry, when routing everything through the Tor network.

I will post my scripts if you want to learn how.

 

[Fitz Mutch]

/jffs/home/tor-dnsmasq-start.sh

#!/bin/sh
dnsmasq_conf=/etc/dnsmasq.tor.conf
dnsmasq_dnsport=9953
tor_firewall_script="/jffs/home/tor-firewall-changes.sh"
dnsmasq_tor_restart=$1
this_script=$(readlink -f $0)
this_script_basename=$(basename $this_script)

create_dnsmasq_conf()
{
tor_dnsport=$(nvram get Tor_dnsport)
[ -z "$tor_dnsport" ] && tor_dnsport=9053
cat <<-EOF >"$dnsmasq_conf"
	pid-file=/var/run/dnsmasq.tor.pid
	port=$dnsmasq_dnsport
	user=admin
	bind-dynamic
	interface=br0
	no-resolv
	no-poll
	no-negcache
	cache-size=1500
	min-port=4096
	bogus-priv
	domain-needed
	#stop-dns-rebind
	server=127.0.0.1#$tor_dnsport
	EOF
}

add_extra_dnsmasq_conf()
{
  local extra_conf=$1
  if [ -f "$extra_conf" ]; then
    grep -qF "$extra_conf" "$dnsmasq_conf"
    [ $? -eq 1 ] && echo "conf-file=$extra_conf" >> "$dnsmasq_conf"
  fi
}

add_dnsmasq_ipset()
{
  local ipset_name="$1"
  local in_path="$2"
  local out_path="$3"

  ipset -N $ipset_name iphash > /dev/null 2>&1

  if [ ! -f "$out_path" ]; then
    while read domain_name
    do
      echo "ipset=/$domain_name/$ipset_name" >> "$out_path"
    done < "$in_path"
  fi

  add_extra_dnsmasq_conf $out_path
}

dnsmasq_start()
{
  local dnsmasq_cmd=/tmp/dnsmasq-tor
  local cmdline="$dnsmasq_cmd $@"
  local dnsmasq_pid=$(/bin/echo $(/bin/ps ww | /bin/grep -F "$cmdline" | /bin/grep -v grep) | /usr/bin/cut -f1 -d' ')
  if [ -z "$dnsmasq_pid" ]; then
    rm -f $dnsmasq_cmd
    ln -s $(which dnsmasq) $dnsmasq_cmd
    # run dnsmasq
    $cmdline
  fi

  # adjust the tor firewall rules to redirect DNS lookups
  $tor_firewall_script
}

# automatically adjust the tor firewall rules when the firewall is restarted
if [ -f "$tor_firewall_script" ]; then
  [ ! -f /jffs/scripts/nat-start ] && echo "#!/bin/sh" >> /jffs/scripts/nat-start && chmod a+rwx /jffs/scripts/nat-start
  grep -qF "$tor_firewall_script" /jffs/scripts/nat-start
  if [ $? -eq 1 ]; then
    echo >> /jffs/scripts/nat-start
    echo "source $tor_firewall_script" >> /jffs/scripts/nat-start
    echo >> /jffs/scripts/nat-start
  fi
fi

# run this script after the WAN interface comes up
if [ "$this_script_basename" != "wan-start" ]; then
  [ ! -f /jffs/scripts/wan-start ] && echo "#!/bin/sh" >> /jffs/scripts/wan-start && chmod a+rwx /jffs/scripts/wan-start
  grep -qF "$this_script" /jffs/scripts/wan-start
  if [ $? -eq 1 ]; then
    echo >> /jffs/scripts/wan-start
    echo "source $this_script" >> /jffs/scripts/wan-start
    echo >> /jffs/scripts/wan-start
  fi
fi

# generate dnsmasq.tor.conf with extras
create_dnsmasq_conf
add_dnsmasq_ipset mstracking /jffs/home/mstracking.txt /tmp/dnsmasq.mstracking.conf
add_extra_dnsmasq_conf /jffs/home/dnsmasq.ntp.conf
add_extra_dnsmasq_conf /jffs/home/dnsmasq.adblock.conf

[ "$dnsmasq_tor_restart" == "restart" ] && killall dnsmasq-tor && sleep 1
dnsmasq_start "--log-async -C $dnsmasq_conf"

/jffs/home/tor-firewall-changes.sh

#!/bin/sh

# for each TOR client, replace the rule for the redirected TOR DNS port,
# this moves the redirected port 9053 (TOR) to 9953 (dnsmasq)
tor_dnsport=$(nvram get Tor_dnsport)
dnsmasq_dnsport=9953
line_nums=$(iptables -t nat -nL PREROUTING --line-numbers | grep -F "redir ports $tor_dnsport" | cut -d' ' -f1)
for line_num in $line_nums; do
  old_rule=$(iptables -t nat -S PREROUTING $line_num | cut -d' ' -f3-)
  new_rule=${old_rule/REDIRECT --to-ports $tor_dnsport/REDIRECT --to-ports $dnsmasq_dnsport}
  iptables -t nat -R PREROUTING $line_num $new_rule
done

# for each TOR client, prevent banned addresses from being routed through the Tor network
tor_transport=$(nvram get Tor_transport)
line_nums=$(iptables -t nat -nL PREROUTING --line-numbers | grep -F "redir ports $tor_transport" | cut -d' ' -f1)
lines_inserted=0
for line_num in $line_nums; do
  let line_num+=lines_inserted
  existing_rule=$(iptables -t nat -S PREROUTING $line_num | cut -d' ' -f3-)

  # this rule will block Windows Updates and Microsoft Telemetry, for TOR clients
  ipset_name="mstracking"
  if [ -f /jffs/home/${ipset_name}.txt ]; then
    ipset -N ${ipset_name} iphash > /dev/null 2>&1
    new_rule=${existing_rule/-j REDIRECT --to-ports $tor_transport/-m set --match-set ${ipset_name} dst -j RETURN}
    iptables -t nat -C PREROUTING $new_rule > /dev/null 2>&1
    [ $? -eq 1 ] && iptables -t nat -I PREROUTING $line_num $new_rule && let lines_inserted++
  fi

  #
  # TODO: add additional rules here
  #
done

/jffs/home/dnsmasq.ntp.conf

### NTP servers - requires an NTP server running on the router
address=/ntp.ubuntu.com/192.168.1.1
address=/ntp.canonical.com/ntp1.canonical.com/ntp2.canonical.com/ntp3.canonical.com/ntp4.canonical.com/192.168.1.1
address=/time-a.timefreq.bldrdoc.gov/time-b.timefreq.bldrdoc.gov/time-c.timefreq.bldrdoc.gov/192.168.1.1
address=/utcnist2.colorado.edu/192.168.1.1
address=/nist1-chi.ustiming.org/nist1-lv.ustiming.org/nist1-ny.ustiming.org/192.168.1.1
address=/time.nist.gov/time-nw.nist.gov/time-a.nist.gov/time-b.nist.gov/time-c.nist.gov/time-d.nist.gov/192.168.1.1
address=/time.windows.com/192.168.1.1
address=/tick.usno.navy.mil/tock.usno.navy.mil/ntp.usno.navy.mil/ntp2.usno.navy.mil/tick.usnogps.navy.mil/tock.usnogps.navy.mil/192.168.1.1
address=/ntp.rokutime.com/192.168.1.1
address=/pool.ntp.org/0.pool.ntp.org/1.pool.ntp.org/2.pool.ntp.org/3.pool.ntp.org/192.168.1.1

/jffs/home/dnsmasq.adblock.conf

### Ad block
address=/.ozvision.ozsn.net/.flirservices.com/0.0.0.0
address=/.dahuap2pcloud.com/.easy4ipcloud.com/0.0.0.0
address=/services.gfe.nvidia.com/services-cdn.gfe.nvidia.com/0.0.0.0

/jffs/home/mstracking.txt

windowsupdate.microsoft.com
update.microsoft.com
download.windowsupdate.com
download.microsoft.com
wustat.windows.com
ntservicepack.microsoft.com
stats.microsoft.com
v4.windowsupdate
officeupdate.microsoft.com
office.microsoft.com
crl.microsoft.com
dns.msftncsi.com
ipv6.msftncsi.com
msftncsi.com
www.msftncsi.com
a.ads1.msn.com
a.ads2.msads.net
a.ads2.msn.com
a.rad.msn.com
a-0001.a-msedge.net
a-0002.a-msedge.net
a-0003.a-msedge.net
a-0004.a-msedge.net
a-0005.a-msedge.net
a-0006.a-msedge.net
a-0007.a-msedge.net
a-0008.a-msedge.net
a-0009.a-msedge.net
ac3.msn.com
adnexus.net
adnxs.com
ads.msn.com
ads1.msads.net
ads1.msn.com
aidps.atdmt.com
aka-cdn-ns.adtech.de
a-msedge.net
apps.skype.com
az361816.vo.msecnd.net
az512334.vo.msecnd.net
b.ads1.msn.com
b.ads2.msads.net
b.rad.msn.com
bs.serving-sys.com
c.atdmt.com
c.msn.com
cdn.atdmt.com
cds26.ams9.msecn.net
choice.microsoft.com
choice.microsoft.com.nsatc.net
compatexchange.cloudapp.net
corp.sts.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
cs1.wpc.v0cdn.net
db3aqu.atdmt.com
df.telemetry.microsoft.com
diagnostics.support.microsoft.com
ec.atdmt.com
fe2.update.microsoft.com.akadns.net
feedback.microsoft-hohm.com
feedback.search.microsoft.com
feedback.windows.com
flex.msn.com
g.msn.com
h1.msn.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
lb1.www.ms.akadns.net
live.rads.msn.com
m.adnxs.com
m.hotmail.com
msedge.net
msnbot-65-55-108-23.search.msn.com
msntest.serving-sys.com
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
preview.msn.com
pricelist.skype.com
rad.live.com
rad.msn.com
redir.metaservices.microsoft.com
reports.wes.df.telemetry.microsoft.com
s.gateway.messenger.live.com
s0.2mdn.net
schemas.microsoft.akadns.net
secure.adnxs.com
secure.flashtalking.com
services.wes.df.telemetry.microsoft.com
settings-sandbox.data.microsoft.com
settings-win.data.microsoft.com
sls.update.microsoft.com.akadns.net
sqm.df.telemetry.microsoft.com
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
static.2mdn.net
statsfe1.ws.microsoft.com
statsfe2.update.microsoft.com.akadns.net
statsfe2.ws.microsoft.com
survey.watson.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
telemetry.appex.bing.net
telemetry.microsoft.com
telemetry.urs.microsoft.com
view.atdmt.com
vortex.data.microsoft.com
vortex-bn2.metron.live.com.nsatc.net
vortex-cy2.metron.live.com.nsatc.net
vortex-sandbox.data.microsoft.com
vortex-win.data.microsoft.com
watson.live.com
watson.microsoft.com
watson.ppe.telemetry.microsoft.com
watson.telemetry.microsoft.com
watson.telemetry.microsoft.com.nsatc.net
wes.df.telemetry.microsoft.com