Great - I think that's it! For whatever reason I had a "SocksPolicy reject *" in my torrc and I did not relate it to the DNSPort config. I removed it and everything seems to be working fine right away. Many thanks!
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, 23. November 2018 13:05, teor teor@riseup.net wrote:
On 23 Nov 2018, at 21:20, petrarca@protonmail.ch wrote: Hi, on a small server I did try to force local DNS requests to the local Tor via iptables/ferm (Nat, Output-Chain, protocol udp dport domain REDIRECT to-ports 5300). Torrc has the following included: 'DNSPort 127.0.0.1:5300'. Unfortunately, it doesn't work as expected, but I get a warning in Tor's notices.log stating "[warn] Rejecting DNS request from disallowed IP" for each DNS request and even after hours of searching around and trying different configs I could't find the root cause yet.
This warning comes from the socks policy check: https://github.com/torproject/tor/blob/a1b0283040723474377a5746dbd01782a9b7e...
Question: what does "disallowed IP" really mean, i.e. what IPs are allowed by Tor and which ones are not? Any ideas and hints on how to investigate further are highly welcome! :-)
You're right, the documentation and logging isn't great here.
I opened a ticket to fix it: https://trac.torproject.org/projects/tor/ticket/28597#comment:2
Have you set the SocksPolicy option?
SocksPolicy policy,policy,… Set an entrance policy for this server, to limit who can connect to the SocksPort and DNSPort ports. The policies have the same form as exit policies below, except that port specifiers are ignored. Any address not matched by some entry in the policy is accepted.
https://www.torproject.org/docs/tor-manual.html.en
T