(possible enhancement) Use dnsmasq to answer DNS queries? #26
Description
I have found that relying on a single tor DNSPort for all DNS queries (1) sometimes fails (presumably when the circuit is renegotiating) and (2) can be a big bottleneck when doing lots of lookups.
I got much better performance/reliability by using dnsmasq to answer queries and proxying the requests out to several tor DNSPorts bound to localhost as upstream DNS servers, like so:
/etc/tor/torrc
DNSPort 127.0.0.2:53
DNSPort 127.0.0.3:53
DNSPort 127.0.0.4:53
/etc/dnsmasq.conf
no-hosts
no-poll
no-resolv
listen-address=127.0.0.1
port=53
bind-interfaces
server=127.0.0.2
server=127.0.0.3
server=127.0.0.4
Aside from just having more bandwidth/load balancing/failover that you naturally get from having more than 1 place to send data, I suspect that dnsmasq responds more efficiently than using iptables redirection.
I guess the thing I'm not sure about is if doing this meaningfully increases attack surface or not? I get that it is exposing code to the network that doesn't have to be exposed, which is definitionally increasing attack surface and which generally doesn't ever make things more secure.
However, dnsmasq provides a lot more fine grained control over how/if DNS requests are answered, which would potentially be a more helpful mitigation if the console is compromised than having iptables pass everything on port 53 to tor's DNSPort, which may or may not handle unexpected input as elegantly as dnsmasq does. Also, this removes iptables from anything DNS related, so there's that too.
Automapping to .onions also works fine using this method.
Thoughts?