[anti-censorship-team] How to run Tor Browser through a DoH/DoT tunnel

David Fifield david at bamsoftware.com
Mon Apr 20 05:12:33 UTC 2020


I made a post about the DNS tunnel I have been working on. It uses a DNS
over HTTPS or DNS over TLS resolver for covertness, and the interior of
the tunnel follows the Turbo Tunnel design so the peers can be more free
about when they send to each other.

https://github.com/net4people/bbs/issues/30

It doesn't exist as a proper pluggable transport, but it's pretty easy
to hack together a way to access a bridge through the tunnel. I made the
linked post using Tor Browser through the DNS tunnel. It's just two
steps.


First, get the tunnel client software and run it with the proper
parameters.
	git clone https://www.bamsoftware.com/git/dnstt.git
	cd dnstt-client
	go build
	./dnstt-client -doh https://dns.google/dns-query -pubkey a8090ab2d7b918e69ed4b2340fcd9c2af33c08e3620af98fb9c6a460fb63f76d tor.rinsed-tinsel.site 127.0.0.1:7000
You can replace "https://dns.google/dns-query" with another server from
https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers

Second, in Tor Browser, go to about:preferences#tor, select "Provide a
bridge", and enter
	127.0.0.1:7000 4D6C0DF6DEC9398A4DEF07084F3CD395A96DD2AD
tor will connect to 127.0.0.1:7000 as if it were a remote bridge, but
that port actually leads through the tunnel to the ORPort of my bridge
giygas.


What I had to do to set up the server side: first I went into the DNS
configuration for my domain rinsed-tinsel.site and added the records
	A	tns.rinsed-tinsel.site	points to 192.81.135.242
	AAAA	tns.rinsed-tinsel.site	points to 2600:3c01::f03c:91ff:fe73:b602
	NS	tor.rinsed-tinsel.site	is managed by tns.rinsed-tinsel.site
The A and AAAA records are the IP addresses of my bridge. Then I ran the
following server commands (plus port forwarding for port 53). Notice
that the tunnel server is configured to terminate the tunnel at the
ORPort of the locally running tor bridge.
	./dnstt-server -gen-key -privkey-file dnstt-tor.key -pubkey-file dnstt-tor.pub
	./dnstt-server -udp :5300 -privkey-file dnstt-tor.key tor.rinsed-tinsel.site 192.81.135.242:9001

I won't commit to running the server part of the tunnel forever, but
I'll leave it set up the way it is for a while in case you want to try
it.


More information about the anti-censorship-team mailing list