Firefox doesn't resolve onion addresses

Question

I'm looking for this option in about:config for firefox, to access to onion domains.

I've configured anonymous user on my Ubuntu:

iptables -t nat -A OUTPUT ! -o lo -p tcp -m owner --uid-owner anonymous -m tcp -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT ! -o lo -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner anonymous -m tcp --dport 9040 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT ! -o lo -m owner --uid-owner anonymous -j DROP

Tor well configured too.

Dns works:

$ dig @127.0.0.1 google.com

; <<>> DiG 9.9.5-3-Ubuntu <<>> @127.0.0.1 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50585
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             60      IN      A       74.125.224.67

;; Query time: 293 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 22 19:07:47 NOVT 2014
;; MSG SIZE  rcvd: 44

But firefox doesn't correctly looking for onion domains. It looks for www.hash.onion, etc. Thereafter Server not found.

In this case, my firefox is anonymized. I'm getting Congratulation from check.torproject.org. But Inner Tor Network with onion domains is not accessible.

I have already set:

network.proxy.socks_remote_dns = true

score 3 · Answer 1 · answered Jul 23 '14 at 17:24

For the transparent proxy functionality of Tor to work you also need to set Tor as your DNS server, normally by setting the DNSPort torrc option to 53 and changing your /etc/resolv.conf. See the TransPort instructions for more hints. Without altering your resolver settings, DNS requests will go out to the Internet – not only leaking DNS but also failing to resolve .onion addresses.

However, as puser has said, the transparent proxy feature is not safe for web browsing. Malicious websites can send traffic to your web browsing causing it to de-anonymise you. The Tor Browser Bundle was specifically designed to defend against these threats.

score 1 · Answer 2 · answered Nov 10 '19 at 19:47

1

In the search bar, type about:config and accept the risk to continue.

Then find the variable network.dns.blockDotOnion and change it to false. If your network configuration was done correctly, firefox should now be able to resolve .onion addresses.

answered Nov 10 '19 at 19:47

Soutzikevich

111
3

score 1 · Answer 3 · answered Jul 30 '14 at 18:06

Closed.

This was wrong iptables redirect rule that excludes loop from redirect devices:

Was:

#iptables -t nat -A OUTPUT ! -o lo -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53

Fix:

iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53

Cause:

/etc/resolv.conf
nameserver 127.0.1.1

bind by dnsmasq, instead of external IP addresses.

Firefox doesn't resolve onion addresses

3 Answers3