DNS Over TOR & VPN

I would like to request the feature: DNS Over TOR & VPN baked into Pi-Hole.
I first seen this option on eBlocker and thought it would be a great feature. Anonymizing DNS requests would help the privacy of users:

  1. Anonymize DNS queries over the TOR network (Trustless option). All DNS queries will be routed over TOR, uncoupling a users IP address from the specific DNS query. ISP sees TOR entry node, Exit node sees the DNS lookup. No end point IP log or ISP logging your DNS requests. Only drawback is a slower DNS lookup. There is also the ability to use Cloudlfare over TOR which would probably be a better option.

exit-node
OR Cloudflare over TOR

  1. DNS over VPN. Users DNS queries would be routed over the users VPN providers network, uncoupling a users IP address from the specific DNS query. End point logs your VPN exit IP, ISP logs your VPN IP and cant see your DNS request. In this case you trust your VPN provider.
  • I would use DNS over TOR
  • I would use DNS over VPN
  • I love my IP and DNS query being logged and tied to me.
  • This suggestion triggered me.

0 voters

How much privacy do you expect a user will gain using TOR for DNS? Even though the DNS queries are routed somewhat anonymously through TOR, once you have the IP in hand, you send that IP (and the rest of the Hello string including the SNI) to your ISP in plain text and they can quite easily see where you are browsing.

Reading the Cloudflare documentaion of resolving through TOR, it states:

If you do not want to disclose your IP address to the resolver, you can use our Tor onion service. Resolving DNS queries through the Tor network guarantees a significantly higher level of anonymity than making the requests directly. Not only does doing so prevent the resolver from ever seeing your IP address, but it also prevents your ISP from knowing that you attempted to resolve a domain name.

So using Cloudflare through TOR encrypts TOR entry node DNS requests. As written:

  • You calculate a path to your destination, like this:
 You -> Your ISP -> X -> Y -> Z -> www.cloudflare.com.
    • You encrypt your packet with Z’s public key, then with Y’s, and finally with X’s.
    • You submit the result to X, who decrypts with their private key;
    • X submits the result to Y, who decrypts with their private key;
    • Y submits the result to Z, who decrypts with their private key to get the original packet;

That's all well and good. Regardless of how you clandestinely obtain an IP (local DNS entry, type it in yourself, get it via encrypted DNS that your ISP cannot see, etc.), you immediately turn around and send that IP and the matching SNI to your ISP in plain text.

The ISP didn't see the DNS traffic, but they still know where you are browsing, and this appears to be what you were trying to hide in the first place.

Cloudflare offers encryption of SNI explicitly for this leak to your ISP.

Cloudflare has no involvement in the connection process between your browser and your ISP (the Hello process, etc).

ESNI is no longer a thing (the article you linked is almost 4 years old). It's now rolled into Encrypted Client Hello (ECH). The specification for that is still in draft.

I see that now. Cloudflare states also ECH is a work in progress. So how do you think the VPN alternative is to DNS over TOR?

Using DNS over a VPN is functionally no different than using an encrypted DNS server (Cloudflared, Stubby, unbound in forwarding mode). Your ISP sees nothing, but the endpoint upstream DNS service sees your DNS traffic. It has the same underlying problem of plain text hello.

but the endpoint upstream DNS service sees your DNS traffic.

Yes. The upstream DNS service sees your DNS traffic, however your IP is not tied to that request. The DNS service sees your VPN exit node IP, and your ISP didnt know your query.

Your ISP still sees where you are browsing, so going to the trouble of hiding your DNS traffic seems pointless if your goal is to hide your browsing habits from your ISP. Is that the underlying goal for this feature request?

I guess its just one more data point to keep from your ISP, and anonymizing your IP from the end resolver. but true you are browsing there anyway so traffic is logged at the ISP. So really what is any benefit of using TOR or VPN for DNS? Using TOR or a VPN by themselves to browse does hide your DNS from your ISP and traffic logging by your ISP which would be the the benefit of both I guess.

I just tried out eBlocker and saw these options for DNS over VPN or TOR in addition to allowing each network device utilize TOR or VPN for browsing. They seperated browsing and DNS over those two functions, meaning you could use either or both. Thought it was a good idea.

I would use DNS over TOR.

I is interesting but without dnssec being used out there for securing the integrity of the resolutions, i fear that tor endpoints would be more under attack to actively and passively provide wrong results