Best practice for DNS through tor

[Jim McClanahan]

basile wrote:
> 
> Hi everyone,
> 
> I'd like to set up an situation where users on a LAN can optionally
> reroute just their DNS queries through tor.  What I have is a gateway
> router where bind9 runs on udp 53 (caching only) and tor uses DNSPort
> 5300.  I'd like the users to be able to "do something" on their local
> computers which switches DNS queries to the router on port 5300 rather
> than 53.  Any suggestions on a best practices?  Here's what I've tried:
>
>  <snip>

If you have an unused LAN address that is guaranteed to get routed to
your gateway for forwarding, then I *think* the following should work. 
Set your gateway up to redirect any packets sent to this address on port
53 to port 5300 on the gateway (I am just parroting what I think you
said above w/o having any experience about Tor's DNS capabilities;
please adjust details for any misunderstanding I have).  A user would
then use the normal gateway address for normal DNS.  Using the "new"
address would cause the request to go to 5300.  I.e. this changes the
problem from altering the desitnation port to altering the destination
address.  So the problem then is providing a mechanism for the user to
change the entry in resolv.conf

>  3) I tried redirection with iptables on the local host but I can't
>  get that to work --- I'm not sure its possible.  ...

I would think that should work.  (I've done similar DNATing -- with DNS
even! :-)  Something like:

iptables -t nat -A OUTPUT -p udp --dport 53 \
   -j DNAT --to-destination $router_ip:5300

And then you need to make sure you don't have any filtering rules
blocking that.  And you could add an analogous rule for tcp/53 if you
feel you need it.