[tor-relays] notices.log: "[warn] Rejecting DNS request from disallowed IP"
teor
teor at riseup.net
Fri Nov 23 12:05:42 UTC 2018
> On 23 Nov 2018, at 21:20, petrarca at protonmail.ch wrote:
>
> Hi,
> on a small server I did try to force local DNS requests to the local Tor via iptables/ferm (Nat, Output-Chain, protocol udp dport domain REDIRECT to-ports 5300). Torrc has the following included: 'DNSPort 127.0.0.1:5300'.
>
> Unfortunately, it doesn't work as expected, but I get a warning in Tor's notices.log stating "[warn] Rejecting DNS request from disallowed IP" for each DNS request and even after hours of searching around and trying different configs I could't find the root cause yet.
This warning comes from the socks policy check:
https://github.com/torproject/tor/blob/a1b0283040723474377a5746dbd01782a9b7eaa7/src/feature/client/dnsserv.c#L84
> Question: what does "disallowed IP" really mean, i.e. what IPs are allowed by Tor and which ones are not? Any ideas and hints on how to investigate further are highly welcome! :-)
You're right, the documentation and logging isn't great here.
I opened a ticket to fix it:
https://trac.torproject.org/projects/tor/ticket/28597#comment:2
Have you set the SocksPolicy option?
SocksPolicy policy,policy,…
Set an entrance policy for this server, to limit who can connect to the SocksPort and DNSPort ports. The policies have the same form as exit policies below, except that port specifiers are ignored. Any address not matched by some entry in the policy is accepted.
https://www.torproject.org/docs/tor-manual.html.en
T
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20181123/f9ac7285/attachment.sig>
More information about the tor-relays
mailing list