Feature #6070

Support arbitrary DNS queries

Added by Tails 2013-07-18 07:50:18 . Updated 2019-05-09 10:08:09 .

Target version:
Start date:
Due date:
% Done:


Feature Branch:
Type of work:

Affected tool:
Deliverable for:




The Tor DNS resolver Tails is currently using lacks support for most types of DNS queries except "A". A better user experience would be provided if Tails was able to resolve any kind of DNS queries out of the box.


Inserting ttdnsd into the DNS resolver loop is the obvious solution. ttdnsd listens for UDP DNS requests and forwards these via the Tor SOCKS proxy to an open recursive DNS resolver on the Internet.

But we cannot just replace pdnsd with ttdnsd as the latter, unlike the former, does no caching at all. The DNS resolution process could then be:

resolv.conf -> DNS forwarding+caching proxy -> ttdnsd -> Tor

Forwarding+caching DNS proxy candidates:

  • pdnsd: already installed on Tails
  • dnsmasq: very flexible DNS forwarder
  • unbound: "recursive-only" caching DNS server which can perform DNSSEC validation of results; the DNSSEC feature is appealing; its "forward zones" feature seems to allow plugging it into the proposed DNS resolution process: forwarding a zone called "." seems sufficient; see Haven SVN for examples that may not be working yet (as of June 2011, see tor-talk ML)

=> keeping our known-working pdnsd configuration seems to be the safe choice.

Work is being done on this topic in our feature/support_arbitrary_dns_queries Git branch.

Merged in devel, with everything but .onion / .exit being resolved using ttdnsd because of bug #3369 on Tor Project’s Trac. This bug was fixed in the Tor 0.2.2.x branch; let’s wait for this release to be stabilized; once we ship it, we can move to "try the Tor resolver first, fallback on ttdnsd if the former fails".

The feature/support_arbitrary_dns_queries Git branch implements the above described policy. Only thing missing is Tor 0.2.2.x.

Tor 0.2.2 is now the official Tor stable tree. Time to merge.

done in 0.8


Related issues

Related to Tails - Feature #6158: Fix secure Icedove autoconfig wizard in Tails Resolved
Blocks Tails - Bug #7453: Pidgin cannot find out the correct XMPP server to connect to, without SRV DNS lookups Confirmed 2014-06-23


#1 Updated by intrigeri 2013-07-19 01:25:14

  • Type of work set to Code

Type of work: Code

#2 Updated by intrigeri 2013-10-03 09:45:57

  • Status changed from Resolved to Confirmed
  • Priority changed from Normal to Low
  • Starter set to No

Reopening, as we’ve removed ttdnsd (too buggy) from the default DNS loop.

#3 Updated by BitingBird 2014-06-09 12:25:19

  • Subject changed from support arbitrary dns queries to Support arbitrary dns queries

#4 Updated by intrigeri 2014-08-11 12:58:52

  • Subject changed from Support arbitrary dns queries to Support arbitrary DNS queries

#5 Updated by intrigeri 2015-01-07 15:04:56

  • blocks Bug #7453: Pidgin cannot find out the correct XMPP server to connect to, without SRV DNS lookups added