[Suggestion] DNS over TCP (at cost of disabling .onion access)

[phantomcraft]

DNS over TCP is supported by Linux since 2015-05-07: https://web.archive.org/web/20150518063349/http://man7.org:80/linux/man-pages/man5/resolv.conf.5.html

All that is needed is TCP support by the resolver. I tested many of this list: https://www.publicdns.xyz/
^^ ~ 95% of them work well with TCP, it wasn't the same 5 years ago as most DNS servers didn't support TCP DNS.

I was having trouble with that annoying "Google captcha" when browsing with Firefox in orjail, and after tests with some DNS servers I realized that DNS resolvers were the cause, perhaps because Tor changes the resolvers often in the middle of some accesses. The most stable DNS resolvers I found are anycast.censurfridns.dk (91.239.100.100 | 2001:67c:28a4::) and unicast.censurfridns.dk (89.233.43.71 | 2a01:3a0:53:53::), I didn't got any error.

The trick is easy, /etc/resolv.conf (or /etc/netns/namespace/resolv.conf) should be:

options use-vc
nameserver <some_server>

Testing with orjail:

sudo orjail -s
sudo echo -e "options use-vc \nnameserver 89.233.43.71 \n" > /etc/resolv.conf
dig +tcp github.com | grep 'SERVER:'
curl ifconfig.me

^^ Works well, and should be the same with any transparent proxy as long as TCP port 53 is unblocked by the upstream server. The only disadvantage is that .onion sites will be not reachable with this scheme.

[adrelanos]

(at cost of disabling .onion access)

Perhaps as an option the one thing or the other?

[phantomcraft]

I found interesting in allowing user to choose the DNS server, I have had problems to bypass captchas with my slow connection, the Uncensored DNS seems to fix that.

An option to allow users to choose their DNS servers, even if disabling the normal Tor DNSPort and hidden services would be useful.