Using Tor + DNSCrypt?

[jmedaglia]

Now that latest version of Asuswrt-Merlin (378.52) includes experimental Tor support (thanks Merlin!), I wanted to get to know it / experiment a bit with it.

I'm concerned of the privacy/security of my internet browsing, maybe too paranoic for a home user but just think that there is no reason not to add some additional security if it comes at a very low cost.

Anyway, I've been using DNSCrypt for a while now, I followed the guide from the official Wiki to set it up (https://github.com/RMerl/asuswrt-merlin/wiki/Secure-DNS-queries-using-DNSCrypt).

Now I was trying to enable Tor, went to VPN -> Tor and enable it (didn't change any of the ports), but after the settings are applied I am not able to browse any webpage. Experimenting a bit I went and disable dnscrypt-proxy and then I was able to browse the internet and even pass Tor check (https://check.torproject.org/)

So, I have some questions:

1) Does it make sense to use Tor + DNSCrypt or one should use just either one but not both?
2) If it does, how can I make them work together?

Thanks in advance.

 

[wh7qq]

Now that latest version of Asuswrt-Merlin (378.52) includes experimental Tor support (thanks Merlin!), I wanted to get to know it / experiment a bit with it.
1) Does it make sense to use Tor + DNSCrypt or one should use just either one but not both?
2) If it does, how can I make them work together?
Thanks in advance.

The main problem with Tor for personal use is that it will slow down your browsing intolerably. Unless you are doing bad stuff or sending out trade secrets across the web, the EFF browser plugin "https:// everywhere" works out pretty well. Can't speak to DNSCrypt as my satellite ISP hijacks our DNS queries for their acceleration process.
Of course, be sure your wifi is encrypted with WPA2. Your router provides a pretty decent firewall for most purposes if you don't defeat it. Be careful with your browsing and opening of links in emails. If you use Windows, use a good free antivirus like Avast or Avira. Relax and enjoy the web.

 

[jmedaglia]

The main problem with Tor for personal use is that it will slow down your browsing intolerably. Unless you are doing bad stuff or sending out trade secrets across the web, the EFF browser plugin "https:// everywhere" works out pretty well. Can't speak to DNSCrypt as my satellite ISP hijacks our DNS queries for their acceleration process.
Of course, be sure your wifi is encrypted with WPA2. Your router provides a pretty decent firewall for most purposes if you don't defeat it. Be careful with your browsing and opening of links in emails. If you use Windows, use a good free antivirus like Avast or Avira. Relax and enjoy the web.

Yes, I also thought it would be intolerable slow as you describe it, just wanted to give it a try but it all seems that I will pass.

Thank you!

 

[wh7qq]

Yes, I also thought it would be intolerable slow as you describe it, just wanted to give it a try but it all seems that I will pass.

Thank you!

You can download the "Tails" linux distribution .iso file ( https://tails.boum.org/), burn it to a DVD or USB and get the feel of using Tor. Forget all the signature and authentication steps they suggest just for the sake of trying it out and just boot up the distro and try the browser. It won't leave any tracks on your PC when you are finished.

There are more, really serious risks out there that are totally beyond our control. I recently visited a clinic (un-named) in Honolulu and noticed that the computer in the exam room was running Windows XP for their medical information system. Oh, and you can opt for web access to that info. That probably has my SSN on it (embedded in my medicare #) and other personal info. Good chance that your bank is using XP in their ATMs. Everywhere you look.... Gotta make me one of them tinfoil hats

 

[hardtotell]

You could simply install the Tor Browser bundle on your computer and use that to stay anonymous. As long as you keep your Internet activities within the Tor Browser, all web traffic and DNS lookups are passed to the Tor exit node, keeping you anonymous. The Tor Browser bundle is a customized version of Firefox that is tightly integrated with the Tor service. It requires no additional configuration or expert IT knowledge. Just install and begin using it.

The problem is that most people have other software on their computers that unknowingly access the Internet, such as checking for updates or automatically logging in to an online service. These softwares can reveal your physical location. The Tor Browser bundle has no control over these other softwares.

You may choose to set the router's iptables to block your computer from directly accessing the Internet. This is a very good idea. However, now you need Tor + Privoxy running on the router to accomplish what the Tor Browser bundle was doing. And it is also a very good idea to install DNSCrypt on the router for all other softwares that perform DNS lookups.
I am running Tor + Privoxy + DNSCrypt on the router itself with my computer blocked from directly accessing the Internet. It is better anonymity than simply running the Tor Browser bundle on the computer.

The only issue I had with DNSCrypt setup (https://github.com/RMerl/asuswrt-merlin/wiki/Secure-DNS-queries-using-DNSCrypt) was the case when /opt is unavailable, I needed it to revert to normal DNS lookups. Following is a derivative of the DNSCrypt wiki script that reverts to normal (unsecure) DNS lookups when /opt is unavailable.

/jffs/scripts/wan-start

#!/bin/sh
/jffs/scripts/dnsmasq-start &

/jffs/scripts/dnsmasq-start

#!/bin/sh
HOSTSNTP="/tmp/hosts.ntp"
HOSTSNTP2="/jffs/scripts/hosts.ntp"
NODNSCRYPT="/etc/dnsmasq.conf.nodnscrypt"

# Wait up to 60 seconds to make sure /opt partition is mounted
tmax=60
i=0
while [ $i -le $tmax ]
do
    if [ -d /opt/tmp ]
    then
        break
    fi
    sleep 1
    i=`expr $i + 1`
done

# if /opt partition is unavailable then revert to the firmware dnsmasq.conf
if [ $i -gt $tmax ]; then
  # revert to the firmware dnsmasq.conf
  touch "$NODNSCRYPT"
  cp -af /etc/dnsmasq.conf.firmware /etc/dnsmasq.conf
  killall dnsmasq && sleep 1
  service restart_dnsmasq
else
  # Now resolve DNS name for NTP server
  rm -f "$HOSTSNTP"
  echo "# DNS name for NTP server" >> "$HOSTSNTP"
  ntp_name=$(nvram get ntp_server0)
  for ip in $(/opt/bin/hostip $ntp_name)
  do
    echo $ip $ntp_name >> "$HOSTSNTP"
  done
  mv -f "$HOSTSNTP" "$HOSTSNTP2"

  # restart NTP client to eliminate 4-5 mins delay
  killall ntp && sleep 1
  service restart_ntpc

  # use dnscrypt
  if [ -f "$NODNSCRYPT" ]; then
    rm -f "$NODNSCRYPT"
    killall dnsmasq && sleep 1
    service restart_dnsmasq
  fi
fi

/jffs/scripts/dnsmasq.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

cp -af /etc/dnsmasq.conf /etc/dnsmasq.conf.firmware

if [ ! -f "/etc/dnsmasq.conf.nodnscrypt" ]; then
  pc_append "### Dnscrypt" "$CONFIG"
  pc_append "no-resolv" "$CONFIG"
  pc_append "server=127.0.0.1#65053" "$CONFIG"
fi

/jffs/scripts/hosts.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

# append the user hosts file to the firmware hosts file
APPENDFILE="/jffs/scripts/hosts.user"
while read TEXTLINE
do
  TEXTLINE=${TEXTLINE//\"}
  pc_append "$TEXTLINE" "$CONFIG"
done <$APPENDFILE

# append the NTP hosts file to the firmware hosts file
APPENDFILE="/jffs/scripts/hosts.ntp"
while read TEXTLINE
do
  TEXTLINE=${TEXTLINE//\"}
  pc_append "$TEXTLINE" "$CONFIG"
done <$APPENDFILE

/jffs/scripts/hosts.user

### BEGIN USER HOSTS FILE
# ASUS
127.0.0.1       dlcdnet.asus.com

 

[L&LD]

Although the Tor Browser bundle sounds like an interesting idea, I'd be leary of using a customized (locked?) browser and think that I was 'safe'.

Any thoughts on that?

Also, with so many other potential software that show your real location anyways (as you rightly mention) it doesn't matter if some of your browsing is 'concealed'. With even a few bytes of info from a real location, it is only a matter of time before the concealed browsing is also traceable back to you too.

 

[hardtotell]

My understanding is that they created the Tor Browser bundle because it's nearly impossible for the average person to configure Tor + Browser without it leaking data. The average person being someone without IT skills, like a journalist, for instance. It has been said that using Tor is better than not using Tor.

It is a powerful weapon, however it does have a few weaknesses.
https://en.wikipedia.org/wiki/Tor_(anonymity_network)#Weaknesses