Recently I posted criticism of Mozilla's new DNS over HTTPS feature given they disabled they primary security functionality of it. The user isn't even warned and can be secretly spied on. This blog post details how to use Tor as your System DNS resolver and has instructions for each operating system plus instructions for disabling Firefox's dangerous DNS over HTTPS implementation. If you'd like to read why Firefox's implementation of DNS over HTTPS is harmful, you may read my previous blog post.

Note for Firefox Users

By default Mozilla has DNS over HTTPS enabled on networks that do not request the feature to be disabled. Visit about:config and set network.trr.mode to 5 to completely turn off the feature. I do not trust Mozilla's implementation and you shouldn't either.

Why not use Tor Browser?

Where possible you should download Tor Browser and use it instead. Unfortunately, many websites block the Tor network or show them a large number of CAPTCHAs (imagine having to check "I'm not a robot" every few minutes, that's the reality for many Tor Browser users).

This alternative solution at least doesn't disable DNS Security when network administrators are uncomfortable and website owners can still see your real IP Address reducing the amount of CAPTCHAs you will see as a result of using this feature. I will emphasize that it is not as private as the Tor Browser Bundle, please keep this in mind if you use this approach.

How to use Tor as your System DNS Resolver on Windows 10

At this time the tooling available on Windows 10 is not in a state where I'm comfortable writing steps out for as I am unsure on several of the security implications. As a temporary workaround I would recommend buying a Raspberry Pi, setting up Linux and a DNS resolver on it and following the steps below for using Tor on Linxu.

How to use Tor as your System DNS Resolver on macOS

Step 0) Install the Homebrew Package Manager

Open the terminal app on macOS and run the following command /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" follow the prompts and let the package manager install itself. This may take a few minutes to download and configure everything as Homebrew relies on Xcode developer tools which can be quite large.

Step 1) Install the Tor and DNSMasq Homebrew Packages

To get started you will need to run the following two commands: brew install tor and brew install dnsmasq. This will install special packages for Tor and DNSMasq (a special DNS Proxy)

Step 2) Enable Tor's DNS Resolver

Open /usr/local/etc/torrc with a text editor of your choice. I recommend running nano as root to avoid any permission issues. So run sudo nano /usr/local/etc/torrc and add the line DNSPort 9053 to the bottom. Then run brew services restart tor to restart the Tor service and reload the configuration. This will also make sure the resolver is enabled.

Step 3) Configure DNSMasq

You will need to configure DNSMasq to send your DNS Queries to the Tor DNS Resolver as it runs on a non-standard port. To do this run nano /usr/local/etc/dnsmasq/dnsmasq.conf and add the following lines to the bottom of the file. no-resolv to disable fetching DNS Servers from /etc/resolv.conf and /etc/hosts and server=127.0.0.1#9053. Save the file and run sudo brew services restart dnsmasq (since dnsmasq runs on a privileged port (a port below 1024), it must be run as root or a user with special permissions, this is the standard configuration for dnsmasq on macOS Systems).

How to use Tor as your System DNS Resolver on Linux

Configuring Tor as your System DNS Resolver on Linux is a bit complex. These instructions only have Debian and Ubuntu in mind. If you use a different Linux distribution you'll need to do your own research to get things working.

Install Tor

For security reasons you should always download Tor from the official repositories. The version that Ubuntu/Debian apt repos have is outdated at best. To install and configure Tor please run the following commands:

  • Finally Open /etc/torrc with a text editor of your choice. I recommend running nano as root to avoid any permission issues. So run sudo nano /etc/torrc and add the line DNSPort 9053 to the bottom. Then run sudo service tor restart to restart the Tor service and reload the configuration. This will also make sure the resolver is enabled.

Install dnsmasq to accept requests and forward them to the Tor DNS Resolver

You will need to configure DNSMasq to send your DNS Queries to the Tor DNS Resolver as it runs on a non-standard port. To do this run nano /etc/dnsmasq/dnsmasq.conf and add the following lines to the bottom of the file. no-resolv to disable fetching DNS Servers from /etc/resolv.conf and /etc/hosts and server=127.0.0.1#9053. Save the file and run sudo service dnsmasq restart. I recommend binding to sepcific interfaces and using the IP Address ``127.0.0.54 to avoid conflicts with other services running on your machine.

Remove systemd-resolved and have network manager use dnsmasq instead

Newer versions of Ubuntu have integrated systemd-resolved a built in caching DNS Resolver into systemd. This can cause problems with our DNS setup so it's best to disable it where possible. These instructions are adapted from an answer on AskUbuntu. I've tested them on my personal computer but didn't write/research them. Be aware that this will break some corporate VPN clients (see LaunchPad issue).

  • Run sudo systemctl disable systemd-resolved and sudo systemctl stop systemd-resolved in a terminal.

  • Next run sudo nano /etc/NetworkManager/NetworkManager.conf and add the following line after the [main] section: dns=default.

  • Run rm /etc/resolv.conf and then sudo systemctl restart NetworkManager. Don't worry as this will create a new resolv.conf file.

Final Steps

Be sure to go in network settings and set your DNS Resolver to 127.0.0.54 and then things will work as expected.