[anti-censorship-team] How to run Tor Browser through a DoH/DoT tunnel

David Fifield david at bamsoftware.com
Mon Apr 20 05:12:33 UTC 2020

I made a post about the DNS tunnel I have been working on. It uses a DNS
over HTTPS or DNS over TLS resolver for covertness, and the interior of
the tunnel follows the Turbo Tunnel design so the peers can be more free
about when they send to each other.


It doesn't exist as a proper pluggable transport, but it's pretty easy
to hack together a way to access a bridge through the tunnel. I made the
linked post using Tor Browser through the DNS tunnel. It's just two

First, get the tunnel client software and run it with the proper
	git clone https://www.bamsoftware.com/git/dnstt.git
	cd dnstt-client
	go build
	./dnstt-client -doh https://dns.google/dns-query -pubkey a8090ab2d7b918e69ed4b2340fcd9c2af33c08e3620af98fb9c6a460fb63f76d tor.rinsed-tinsel.site
You can replace "https://dns.google/dns-query" with another server from

Second, in Tor Browser, go to about:preferences#tor, select "Provide a
bridge", and enter 4D6C0DF6DEC9398A4DEF07084F3CD395A96DD2AD
tor will connect to as if it were a remote bridge, but
that port actually leads through the tunnel to the ORPort of my bridge

What I had to do to set up the server side: first I went into the DNS
configuration for my domain rinsed-tinsel.site and added the records
	A	tns.rinsed-tinsel.site	points to
	AAAA	tns.rinsed-tinsel.site	points to 2600:3c01::f03c:91ff:fe73:b602
	NS	tor.rinsed-tinsel.site	is managed by tns.rinsed-tinsel.site
The A and AAAA records are the IP addresses of my bridge. Then I ran the
following server commands (plus port forwarding for port 53). Notice
that the tunnel server is configured to terminate the tunnel at the
ORPort of the locally running tor bridge.
	./dnstt-server -gen-key -privkey-file dnstt-tor.key -pubkey-file dnstt-tor.pub
	./dnstt-server -udp :5300 -privkey-file dnstt-tor.key tor.rinsed-tinsel.site

I won't commit to running the server part of the tunnel forever, but
I'll leave it set up the way it is for a while in case you want to try

More information about the anti-censorship-team mailing list