> On 23 Nov 2018, at 21:20, petra...@protonmail.ch wrote: > > Hi, > on a small server I did try to force local DNS requests to the local Tor via > iptables/ferm (Nat, Output-Chain, protocol udp dport domain REDIRECT to-ports > 5300). Torrc has the following included: 'DNSPort 127.0.0.1:5300'. > > Unfortunately, it doesn't work as expected, but I get a warning in Tor's > notices.log stating "[warn] Rejecting DNS request from disallowed IP" for > each DNS request and even after hours of searching around and trying > different configs I could't find the root cause yet.
This warning comes from the socks policy check: https://github.com/torproject/tor/blob/a1b0283040723474377a5746dbd01782a9b7eaa7/src/feature/client/dnsserv.c#L84 > Question: what does "disallowed IP" really mean, i.e. what IPs are allowed by > Tor and which ones are not? Any ideas and hints on how to investigate further > are highly welcome! :-) You're right, the documentation and logging isn't great here. I opened a ticket to fix it: https://trac.torproject.org/projects/tor/ticket/28597#comment:2 Have you set the SocksPolicy option? SocksPolicy policy,policy,… Set an entrance policy for this server, to limit who can connect to the SocksPort and DNSPort ports. The policies have the same form as exit policies below, except that port specifiers are ignored. Any address not matched by some entry in the policy is accepted. https://www.torproject.org/docs/tor-manual.html.en T
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
