Tails - DNS

Tor does not support UDP so we cannot simply redirect DNS queries to the Tor transparent proxy.

Most DNS leaks are avoided by having the system resolver query the Tor network using the DNSPort configured in torrc.

There is a concern that any application could attempt to do its own DNS resolution without using the system resolver; UDP datagrams are therefore blocked in order to prevent leaks. Another solution may be to use the Linux network filter to forward outgoing UDP datagrams to the local DNS proxy.

Tails also forbids DNS queries to RFC1918 addresses; those might indeed allow the system to learn the local network's public IP address.

An exception to the above DNS configuration is the clearnet user used to run the Unsafe Browser, which uses the DNS server provided for DHCP for resolving.

resolvconf is used to configure the system resolver in /etc/resolv.conf; it is also set up to prevent NetworkManager and dhcp-client to modify this file.

Since the Tor DNS resolver lacks support for most types of DNS queries except "A", ttdnsd is also running and offers support for all kinds of DNS queries Tor does not know about. This can be useful for advanced users to do system administration for example. However, ttdnsd is not used in the default name resolution loop, mostly due to it being quite too buggy. It is configured to forward incoming UDP DNS requests to a open, recursive TCP DNS resolver (namely: OpenDNS's 208.67.222.222) via the Tor SOCKS proxy. Completely replacing the Tor resolver with ttdnsd was considered, but doing so would give too much power to a single third-party, that is to the organization or people that runs the recursive DNS resolver ttdnsd is configured to use.