Cloudflare Experiments with Hidden Tor Services

We are living in an age where information is one of the most sought-after commodity. Digital information is so valuable that, there are a lot of bidders even to snatch our online browsing history we casually discard with just a button click. Moreover, we also have government agencies like the Security Agencies working undercover, who have their habit of snooping around through the private lives of many around the globe.

To those who are extremely concerned and cautious about their privacy, we can use a variety of methods to conceal our identity on the internet. This means, if you could bear with some extra mouse click and typing, you might be able to hide from the prying eyes of those targeted ad campaigners and super spies. Even though escaping from data scavengers is a troublesome process, we can learn about how they usually obtain our private data and try to safeguard it.

To explain how digital information passes through the internet, let’s take an instant where how the whole process of internet communication going on when you simply visit a URL or more precisely any .onion link (similar to web links but can only be accessed through Tor network).

We can divide the whole process into 3 main gateways.

1. The local device (this includes your browser)
2. Your ISP
3. The pages you visit

Your local machine (PC, Smartphone, tablet etc..) while browsing through the internet may get infected with adware, malware or any other malicious entities. These sophisticated programs may extract your personal information, browser history, and cache files to create a complete profile about you.

But, adequate knowledge about how these programs work and proper diligence can prevent such leaks, keep your system clean and firewall protected and safeguard your data privacy. When it comes to data privacy, your Internet Service Provider (ISP) is one of the most overlooked yet publicly trusted entities who guide you along the way to the web. If required, ISPs can intercept and monitor everything you do online. They can catch your DNS requests and find out what you are trying to find on the web and to some extent can even find which page of a website you are viewing.

In most part of the countries around the globe, it’s not illegal to collect such type of online data and sell it for profit.

Sometimes the Government uses tactics or power to censor content and find radical groups who work against their will by snatching information from ISPs. However, any person on the internet deserves the right to preserve privacy. But to protect it, you need to take matters in your own hands. With proper tools, you can confuse the Internet Service Providers while you make a DNS query on the internet and stay incognito all the time. The answer to all these lies in the collaboration of some open source technologies and resources like Cloudflare Tor DNS Resolver.

Cloudflare Tor DNS Resolver is now open to the public for a beta run. To achieve almost complete anonymity you need:

1. Linux OS
2. Tor Browser
3. Cloudflare Tor DNS resolver

To gain total anonymity it’s always better to use Linux distros as you can decide what should happen in the system all by yourself and can to some extent prevent alien scripts and programs being run on your computer. Otherwise, you can choose a privacy-centric Operating Systems like Tails (The Amnesic Incognito Live System i)OS, which is considered as one of the best for staying anonymous and preserving online privacy while being online. Tails OS routes all its traffic through Tor by default and literally doesn’t store a data or history as it can only be live booted from a flash drive or disc.

Now we can familiarise with Tor:

What is Tor?

Imagine a scenario where in order to connect to www.cloudflare.com, instead of relying on your internet provider to find a path, you go through the following steps to reach Cloudflare.

You calculate the path to your destination like this:

1. You -> Your ISP -> X -> Y -> Z -> www.cloudflare.com
2. You encrypt your packet with Z’s public key, then with Y’s, and finally with X’s.
3. You submit the result to X, who decrypts with their private key.
4. X submits the result to Y, who decrypts with their private key.
5. Y submits the result to Z, who decrypts with their private key to get the original packet.

6. Z submits the packet to www.cloudflare.com

If everyone plays their roles correctly, it is possible to ensure only the entry relay X knows your IP address and only the exit relay Z knows the website you’re connecting you, which simply means no one node can know both your address and your data details at the same time.

This provides you with privacy and anonymity. We can define Tor as a collection of volunteer-run computers and servers around the world acting as relays for a huge network built on top of the Internet where every hop from one relay to the next peels one layer of encryption, hence its name: the onion router. To know where the Tor hidden resolver fits in this picture we need to understand how a usual DNS request completes over a Tor network. Usually, there are 2 methods:

1. Resolve the name directly, then talk to the IP address through Tor;
2. Ask a Tor exit relay to resolve the name publicly and connect to the IP Both ways have its own flaws. While the first option reveals your IP to the DNS resolver and if you are not using DNS over HTTPS or DNS-over-TLS others might be able to view your search query, the second option can expose you to DNS poisoning or sslstrip by bad relays.

These are the weakness of the Tor protocols. But Cloudflare now provides another option:

1. Ask a .onion-based resolver service to resolve your DNS query. CloudFlare .onion-based resolver service is a Tor onion service which forwards all communication on DNS ports to the corresponding ports on 1.1.1.1, which means your IP will be masked by their network’s internal IP.

So, in a nutshell, we can summarize: Using a .onion-based resolver ensures that your ISP never finds out that you’re trying to resolve a domain name, the Exit Nodes don’t get a chance to manipulate DNS replies, and lastly the resolver never finds out your original IP address as the Tor resolver itself is as a Tor onion service. They advertise their public key encoded as an address with .onion TLD and establishes connection entirely inside the Tor network. Even though the new DNS resolver from CloudFlare is sunshine and rainbows, there are also some gray areas to this configuration.

As of now, Tails is the only Linux distros available as a ready-made package aimed at complete anonymity. But to set it up and working is not an easy affair for people who don’t have a clear understanding about some of those under the hood working. Since the internet access through the Tor protocol comprises of all the encryption complexities
and relay creations. One cannot expect blazing fast internet the way normal connections provide through Tor while accessing resources or .onion addresses. Even though the complex encryption methods and relay creations make internet access slow, it serves it’s real purpose for what it’s been made, to ensure anonymity.

Cloudflare Tor DNS resolver is still in an experimental feature for now and it’s clearly stated to refrain from using this setup in a production environment.

With that being said, let’s dive into our super easy tutorial about how to setup Cloudflare DNS resolver for Tor.

1. Download and Install Cloudflare daemon. You can find it here.

2. Verify your installation using the below command:
cloudflared –version

3. Now setup cloudflared as a service that starts with a user login. To do it, just follow the below commands to create a configuration file which will be used by the cloudflared service:

mkdir -p /usr/local/etc/cloudflared
cat << EOF > /usr/local/etc/cloudflared/config.yaml
proxy-dns: true
proxy-dns-upstream:
- https://1.1.1.1/dns-query
- https://1.0.0.1/dns-query
EOF

4. Now let’s install the cloudflare as a service

sudo cloudflared service install
If the configuration was successful you will see the following info in you CLI
INFO[0000] Applied configuration from /usr/local/etc/cloudflared/config.yaml
INFO[0000] Installing Argo Tunnel as an user launch agent
INFO[0000] Outputs are logged in /tmp/com.cloudflare.cloudflared.out.log and
/tmp/com.cloudflare.cloudflared.err.log

5. Now Start a Tor SOCKS proxy and use socat to forward port TCP:443 to localhost :
socat TCP4-LISTEN:443,reuseaddr,fork SOCKS4A:127.0.0.1:dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion:4
43,socksport=9150

6. Now edit the hosts file in your system so your machine will treat the .onion address as a local host:

cat << EOF >> /etc/hosts
127.0.0.1 dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion
EOF

7. The final step is to start a local DNS over UDP daemon:

cloudflared proxy-dns –upstream
"https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion/dns-query"
If everything went well, you will get the following info which concludes the whole configuration setup. Also update your DNS resolver configuration.
INFO[0000] Adding DNS upstream
url="https://dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.o
nion/dns-query"
INFO[0000] Starting DNS over HTTPS proxy server addr="dns://localhost:53"
INFO[0000] Starting metrics server addr="127.0.0.1:35659"

With this, you might have got some insights into how to be anonymous on the web. However this method is not a perfect solution for anonymity since everything digital is vulnerable and, it’s just a matter of time to find the vulnerability.

Thanks for dropping by. Ready for the next blog?
https://dev.sysally.com/blog/10-reasons-why-outsourcing-it-support-is-the-best-decision-for-your-business/