Resolving .onions when not all traffic is eaten by tor

Created on 2021-01-11T22:35:39-06:00

Return to the Index

This card can also be read via Gemini.

NOTE that mixing clearnet and an overlay net is asking to fuck up eventually.

Tor uses a fake subnet to provide IP addresses to its secret tunnels. Use a firewall rule to force traffic destined for those fake addresses to go through the TransPort of the tor router.

Add ip rules to force traffic through tor:

iptables -t nat -A OUTPUT -p tcp -d 127.192.0.0/10 -j REDIRECT --to-ports 9040
ip6tables -t nat -A OUTPUT -p tcp -d FE80::/10 -j REDIRECT --to-ports 9040

Need to enable the transparent access port in tor:

TransPort 9040

These flags need to be in the server section of unbound.conf:

server:
do-not-query-localhost: no
tcp-upstream: no

domain-insecure: "onion."
private-domain: "onion."
local-zone: "onion." nodefault

Add a forwarding zone in unbound.conf:

forward-zone:
name: "onion."
forward-addr: 127.0.0.1@9053
forward-first: no

References