Commit c44a41a5 authored by anonym's avatar anonym

Design: document tor's new DNS configuration.

Will-fix: #8775
parent a993d3eb
......@@ -15,15 +15,29 @@ Tails also forbids DNS queries to RFC1918 addresses; those might
indeed allow the system to learn the local network's public IP
An exception to the above DNS configuration is the `clearnet` user
used to run the [[contribute/design/Unsafe_Browser]], which uses the
DNS server provided for DHCP for resolving.
`resolv.conf` is configured to point to the Tor DNS resolver, and <span
class="application">NetworkManager<span> and `dhclient` are configured
not to manage `resolv.conf` at all:
* [[!tails_gitweb config/chroot_local-includes/etc/resolv.conf]]
* [[!tails_gitweb config/chroot_local-includes/etc/NetworkManager/conf.d/dns.conf]]
* [[!tails_gitweb config/chroot_local-includes/etc/dhcp/dhclient-enter-hooks.d/disable_make_resolv_conf]]
* [[!tails_gitweb config/chroot_local-includes/etc/resolv.conf]]
* [[!tails_gitweb config/chroot_local-includes/etc/tor/torrc]]
Some applications need to be able to do clearnet DNS resolutions, so
we save the DNS configuration obtained by NetworkManager:
* [[!tails_gitweb config/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-resolv-over-clearnet]]
The following is the complete list of the applications allowed to use
the clearnet DNS configuration:
* the `tor` process itself, but only if the user requested to
configure Tor's network settings in Tails Greeter; in this case
`tor` being able to resolve hostnames is convenient (e.g. hostnames
are human-readable, IP addresses not as much) or even necessary
(e.g. for the Meek pluggable transport):
- [[!tails_gitweb config/chroot_local-includes/etc/NetworkManager/dispatcher.d/]]
* the `clearnet` user used to run the
- [[!tails_gitweb config/chroot_local-includes/usr/local/sbin/unsafe-browser]]
......@@ -34,13 +34,18 @@ non-default option called "My Internet Connection is
censored...". When activated, the following deviations from normal
Tails behaviour occur, in order:
1. Tails Greeter adds `DisableNetwork 1` to torrc so Tor will not
0. Tails Greeter adds `DisableNetwork 1` to torrc so Tor will not
connect to the network without user intervention.
2. When we connect to the network, a NetworkManager hook starts Tor
0. The `tor` process is configured to not use the system resolver
(which is `tor` itself ⇒ catch-22) but the DNS server obtained by
NetworkManager instead. This enables the use of hostnames for
proxies and pluggable transports (which is required for e.g. Meek).
0. When we connect to the network, a NetworkManager hook starts Tor
Launcher in the background, i.e. non-blocking.
3. [[Time_syncing]] waits until the user has committed their
0. [[Time_syncing]] waits until the user has committed their
configuration via Tor Launcher and then does its usual magic to
ensure that Tor bootstraps even if the clock was incorrect. That is
the reason why we have to take the more complex approach of
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment