Tails short description states that all outgoing connections to the Internet must to go through the Tor network.

This is almost true. Let's clarify this a bit.

DNS

Tor does not support UDP so we cannot simply redirect DNS queries to the Tor transparent proxy.

Most DNS leaks are avoided by having the system resolver query the Tor network using the DNSPort configured in torrc.

There is a concern that any application could attempt to do its own DNS resolution without using the system resolver; UDP datagrams are therefore blocked in order to prevent leaks. Another solution may be to use the Linux network filter to forward outgoing UDP datagrams to the local DNS proxy.

Tails also forbids DNS queries to RFC1918 addresses; those might indeed allow the system to learn the local network's public IP address.

An exception to the above DNS configuration is the clearnet user used to run the Unsafe Browser, which uses the DNS server provided for DHCP for resolving.

resolvconf is used to configure the system resolver in /etc/resolv.conf; it is also set up to prevent NetworkManager and dhcp-client to modify this file.

Since the Tor DNS resolver lacks support for most types of DNS queries except "A", ttdnsd is also running and offers support for all kinds of DNS queries Tor does not know about. This can be useful for advanced users to do system administration for example. However, ttdnsd is not used in the default name resolution loop, mostly due to it being quite too buggy. It is configured to forward incoming UDP DNS requests to a open, recursive TCP DNS resolver (namely: OpenDNS's 208.67.222.222) via the Tor SOCKS proxy. Completely replacing the Tor resolver with ttdnsd was considered, but doing so would give too much power to a single third-party, that is to the organization or people that runs the recursive DNS resolver ttdnsd is configured to use.

• config/chroot local-includes/etc/resolvconf/resolv.conf.d/base
• config/chroot local-includes/etc/tor/torrc
• config/chroot local-includes/etc/firewall.conf
• config/chroot local-includes/lib/live/config/000-resolv-conf
• config/chroot local-hooks/99-zzz resolvconf
• config/chroot local-includes/etc/default/ttdnsd

HTTP Proxy

Polipo provides with caching HTTP proxy functionality. It contacts the Tor software via SOCKS5 to make the real connections: config/chroot local-includes/etc/polipo/config.

In case the firewall is buggy or not properly started, proxy settings are used as part of a defence in depth strategy:

• The standard http_proxy and HTTP_PROXY environment variables are globally set in config/chroot local-includes/etc/environment to point to Polipo.

Network filter

One serious security issue is that we don't know what software will attempt to contact the network and whether their proxy settings are set up to use the Tor SOCKS proxy or polipo HTTP(s) proxy correctly. This is solved by blocking all outbound Internet traffic except Tor and I2P, and explicitly configure all applications to use either of these.

• config/chroot local-includes/etc/ferm/ferm.conf (uses ferm to build an iptables ruleset)

The default case is to block all outbound network traffic; let us now document all exceptions and some clarifications to this rule.

Tor user

Tor itself obviously has to connect to the Internet without going through the Tor network. This is achieved by special-casing connections originating from the debian-tor Unix user.

I2P

I2P (Invisible Internet Project) is yet another anonymizing network (load-balanced unspoofable packet switching network) that provides access to eepsites (.i2p tld); eepsites are a bit like Tor hidden services. Some users would like to be able to access eepsites from Tails.

Like the debian-tor user, the i2p user is allowed to connect directly to the Internet. See the design document dedicated to Tails use of I2P for details.

Unsafe Browser and the clearnet user

The clearnet user used to run the Unsafe Browser is granted full network access (but no loopback access) in order to deal with captive portals.

Local Area Network (LAN)

Tails short description talks of sending through Tor outgoing connections to the Internet. Indeed: traffic to the local LAN (RFC1918 addresses) is wide open as well as the loopback traffic obviously.

LAN DNS queries are forbidden to protect against some attacks.

Local services whitelist

The Tails firewall uses a whitelist which only grants access to each local service to the users that actually need it. This blocks potential leaks due to misconfigurations or bugs, and deanonymization attacks by compromised processes. For specifics, see the firewall configuration where this is well commented: config/chroot local-includes/etc/ferm/ferm.conf

Automapped addresses

AutomapHostsOnResolve is enabled in Tor configuration, and a firewall rule transparently redirects to the Tor transparent proxy port the connections targeted at the 127.192.0.0/10 virtual mapped address space.

Only the amnesia user is granted access to the Tor transparent proxy port, so in practice only them can use this hostname-to-address mapping facility.

• config/chroot local-includes/etc/tor/torrc
• config/chroot local-includes/etc/ferm/ferm.conf

IPv6

Tor does not support IPv6 yet so IPv6 communication is blocked.

UDP, ICMP and other non-TCP protocols

Tor only supports TCP. Non-TCP traffic to the Internet, such as UDP datagrams and ICMP packets, is dropped unless it's going through I2P, which supports UDP.