Hi,
Kill Your TV wrote (07 Aug 2014 12:16:54 GMT) :
> # Redirect system DNS to Tor's DNSport
> daddr 127.0.0.1 proto udp dport 53 REDIRECT to-ports 5353
Ah, right. I had completely forgotten that we've done that as part of
the bridges support (commit 69ae076). So, indeed talking to port 5353
is needed.
> but I thought that
> outerface ! lo mod owner uid-owner i2psvc {
> @if $use_i2p proto (tcp udp) ACCEPT;
> }
> would allow DNS resolution.
No, because the resolver is listening on the lo interface.
> When it didn't, I explicitly ACCEPTED DNS requests with
> + @if $use_i2p proto udp dport domain ACCEPT;
> @if $use_i2p proto (tcp udp) ACCEPT;
> because I thought that would override the redirect around line 173, but
> DNS requests made by the i2psvc user still get redirected to the
> TorDNS port.
Indeed, the redirection lives in the OUTPUT chain of the nat table,
so it can't be overriden by anything in the filter table.
> Since the explicit DNS exception didn't do what I expected it to,
> I removed it.
OK, makes sense, and I now understand why I2P is talking to port 5353 :)
Thanks!
Cheers,
--
intrigeri
