[ISSUE] "Tor control" leaks DNS

[jomilen]

Describe the bug When you enable "Tor control" for an app, AFWall+ creates a NAT rule to redirect DNS from that app's userid over Tor. Unfortunately, this rule usually has no effect, because DNS usually goes via netd, which sends DNS requests as root instead of the app's userid. So DNS queries get leaked to your ISP (or Private DNS provider), revealing every host accessed over Tor. This partly or fully defeats the point of using Tor, depending on setup and use case.

Of course this isn't easily fixed. One option would be to route all DNS from netd over Tor whenever Tor control is enabled for any app. Ideal fix would be to replace netd with a DNS proxy (#1047).

But at the very least, it needs to be clear to users that this is going to happen. Tor users should be able to, and likely do, expect their DNS not to be leaked. If they knew about this, they could take action to avoid it, e.g. use Orbot in VPN mode instead.

Side issue: "Show rules" misses rules in the NAT table. You have to do e.g. iptables -n -L -t nat to see them.

Additional context Version 3.5.2 on LOS 18.1.

957 looks to have been referring to this issue, but it lacked information (just said "it doesn't work") and was closed.

[yephny]

Any updates on this issue? It's critical.