-
-
Notifications
You must be signed in to change notification settings - Fork 6
/
DoToT.sh
152 lines (121 loc) · 4.66 KB
/
DoToT.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
#!/bin/bash
###########################################################################
### ###
### DNS over TLS over Tor (DoToT) ###
### Thanks to Nate Sales and Yawnbox of Emerald Onion ###
### https://emeraldonion.org ###
### https://github.com/emeraldonion/DNS/ ###
### GNU General Public License v3.0 ###
### https://github.com/emeraldonion/DNS/blob/main/LICENSE ###
### ###
###########################################################################
###
### For local DNS resolution on Debian or Ubuntu, client or server:
###
### 1. tor is listening on a local socket, 127.0.0.1:9050.
###
### 2. Three independent socat services (customizable) are listening
### on one of three local sockets, 127.0.0.1:8530, 127.0.0.1:8531,
### and 127.0.0.1:8532. Each socket is dedicated to sending DNS
### queries to Emerald Onion's DoT service, Cloudflare's DoT service,
### and Quad 9's DoT service simultaneously.
###
### 3. stubby becomes the local DNS daemon and creates a local IP
### (127.0.8.53) for local queries to be sent to. stubby takes DNS
### queries, makes them DoT queries (853/tcp wrapped in TLS 1.3),
### and sends requests to the “upstream recursive servers” which
### are actually the local socat services that pipe everything
### through Tor.
###
### Benefits:
###
### 1. Security across the wire from both TLS 1.3 and Tor.
### 2. Physical location privacy to public DNS resolvers with Tor.
### 3. Censorship resistance from both TLS 1.3 and Tor.
### 4. Redundancy with multiple external DoT providers.
###
###########################################################################
# Install tor, socat and stubby. It would be best if you follow
# Tor Project's guide to installing the latest tor for Debian/Ubuntu.
apt update
apt install tor socat stubby -y
# set stubby configs
mv /etc/stubby/stubby.yml /etc/stubby/stubby.backup1
# note: checkout stubby.backup1 to see alternative DoT services
touch /etc/stubby/stubby.yml
echo 'resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 1
idle_timeout: 10000
tls_ca_path: "/etc/ssl/certs/"
tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
tls_min_version: GETDNS_TLS1_3
tls_max_version: GETDNS_TLS1_3
listen_addresses:
- 127.0.8.53
upstream_recursive_servers:
- address_data: 127.0.0.1
tls_auth_name: "dns.emeraldonion.org"
tls_port: 8530
- address_data: 127.0.0.1
tls_auth_name: "dns.quad9.net"
tls_port: 8531
- address_data: 127.0.0.1
tls_auth_name: "1dot1dot1dot1.cloudflare-dns.com"
tls_port: 8532' > /etc/stubby/stubby.yml
# create user + group
useradd tor-dns
chsh -s /sbin/nologin tor-dns
# create services
touch /etc/systemd/system/tor-dns-eo.service
echo '[Unit]
After=network.target
[Service]
Type=simple
User=tor-dns
Group=tor-dns
ExecStart=socat TCP4-LISTEN:8530,reuseaddr,fork SOCKS4A:127.0.0.1:dns.emeraldonion.org:853,socksport=9050
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictNamespaces=yes
[Install]
WantedBy=multi-user.target' > /etc/systemd/system/tor-dns-eo.service
touch /etc/systemd/system/tor-dns-cf.service
echo '[Unit]
After=network.target
[Service]
Type=simple
User=tor-dns
Group=tor-dns
ExecStart=socat TCP4-LISTEN:8532,reuseaddr,fork SOCKS4A:127.0.0.1:1dot1dot1dot1.cloudflare-dns.com:853,socksport=9050
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictNamespaces=yes
[Install]
WantedBy=multi-user.target' > /etc/systemd/system/tor-dns-cf.service
touch /etc/systemd/system/tor-dns-q9.service
echo '[Unit]
After=network.target
[Service]
Type=simple
User=tor-dns
Group=tor-dns
ExecStart=socat TCP4-LISTEN:8531,reuseaddr,fork SOCKS4A:127.0.0.1:dns.quad9.net:853,socksport=9050
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictNamespaces=yes
[Install]
WantedBy=multi-user.target' > /etc/systemd/system/tor-dns-q9.service
# start service
systemctl daemon-reload
systemctl enable --now tor-dns-eo
systemctl enable --now tor-dns-cf
systemctl enable --now tor-dns-q9
# Now you should set 127.0.8.53 as your only nameserver in Netplan on Ubuntu to make this a system-wide configuration, or in /etc/resolv.conf for Debian.