Great - I think that's it! For whatever reason I had a "SocksPolicy reject *" in my torrc and I did not relate it to the DNSPort config. I removed it and everything seems to be working fine right away. Many thanks!
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, 23. November 2018 13:05, teor <t...@riseup.net> wrote: > > > > On 23 Nov 2018, at 21:20, petra...@protonmail.ch wrote: > > Hi, > > on a small server I did try to force local DNS requests to the local Tor > > via iptables/ferm (Nat, Output-Chain, protocol udp dport domain REDIRECT > > to-ports 5300). Torrc has the following included: 'DNSPort 127.0.0.1:5300'. > > Unfortunately, it doesn't work as expected, but I get a warning in Tor's > > notices.log stating "[warn] Rejecting DNS request from disallowed IP" for > > each DNS request and even after hours of searching around and trying > > different configs I could't find the root cause yet. > > This warning comes from the socks policy check: > https://github.com/torproject/tor/blob/a1b0283040723474377a5746dbd01782a9b7eaa7/src/feature/client/dnsserv.c#L84 > > > Question: what does "disallowed IP" really mean, i.e. what IPs are allowed > > by Tor and which ones are not? Any ideas and hints on how to investigate > > further are highly welcome! :-) > > You're right, the documentation and logging isn't great here. > > I opened a ticket to fix it: > https://trac.torproject.org/projects/tor/ticket/28597#comment:2 > > Have you set the SocksPolicy option? > > SocksPolicy policy,policy,… > Set an entrance policy for this server, to limit who can connect to the > SocksPort and DNSPort ports. The policies have the same form as exit policies > below, except that port specifiers are ignored. Any address not matched by > some entry in the policy is accepted. > > https://www.torproject.org/docs/tor-manual.html.en > > T _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays