Mainly Tor and DNS because that’s what I’ve been doing lately, and a short networking video where I also go into details about customizing your Firejail setup.
Cleanup
Before we start, let’s get into the habit of cleaning up some files when we shut down the computer. For this you need a systemd unit file (see Appendix 1) and a simple script (see Apendix 2). Copy the unit file in /etc/systemd/system directory, and the script in /etc. The contents of the script is as follows:
.cache directory is the place where people find copies of all the webpages you visited, torrent trackers you connected to, and all that emails you thought you deleted – all 3 GB of them!
After that, take a look at /etc/machine-id. This is a world-readable file containing a huge random number:
0b46feb27a20469da0ee62baaeb51c5c
Sort of a serial number, it is used to uniquely identify Linux computers. You definitely don’t want it on your home network. But since it is required by systemd, generate a new one on shutdown. Actually, there is another copy of this file in /var/lib/dbus/machine-id, so you have to deal with both of them:
dbus-uuidgen > /var/lib/dbus/machine-id
cp /var/lib/dbus/machine-id /etc/machine-id
chmod 444 /etc/machine-id
Next time you start, your computer has a new identity. Add more to the script: bash history, x11/xfce logs, trash folder, whatever… Let’s proceed with Tor Browser installation.
Installing Tor Browser
Download the browser from the “original equipment manufacturer”. It comes as a tar software archive that you unpack it in your home directory:
The software is extracted in ~/tor-browser_en-US. Mount this directory on top of your home using Firejail’s --private command:
The browser starts in a container filesystem created on-the-fly by Firejail. Take a look around, no personally identifiable information should be available:
- home directory with the files from the software archive and some miscellaneous config files created by the browser
- virtually empty
/tmp - small subset of system files in
/devand/etc - most of everything else is re-mounted read-only after some basic cleanup
If you don’t intend to play music under tor, also add --machine-id on the command line, and new random numbers will be generated in the sandbox for the files we discussed above.
Network namespace
Use a network namespace for additional fun and glory. This is basically a new TCP/IP stack in kernel space:
- an unused IP address is obtained by ARP-probing your network
- the MAC address allocated by kernel is random by default
- brand new interfaces and routing table
- and a desktop iptables firewall
Find the name of your Ethernet interface (eth0):
1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether e0:3f:42:7a:15:09 brd ff:ff:ff:ff:ff:ff
… and start tor:
The command is ugly, but you can set a desktop starter to make your life easier (see Appendix 3).
You can also use firetools to check your new network setting.
Tor DNS
Not many people know Tor also offers a DNS proxy service. It is restricted to A, AAAA, and PTR requests, enough to run a browser or any other desktop application.
The service is built directly in Tor communication protocol, and it follows the same privacy and security principles as HTTP: at least 3 layers of redirection and randomization in a cluster of several thousand servers.
Start by installing tor package from your distro (Debian example):
Debian starts the proxy automatically upon install. Open /etc/tor/torrc in a text editor and add the following lines at the end of the file:
AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion
ClientDNSRejectInternalAddresses 1
Restart the proxy:
Tor should be running in this moment on UDP port 53, try it out:
; <> DiG 9.11.5-P4-5.1+deb10u2-Debian <> @127.0.0.1 example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43746
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 3600 IN A 93.184.216.34
;; Query time: 266 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jan 17 08:46:13 EST 2021
;; MSG SIZE rcvd: 45
266 ms query time means your domain was resolved by a server on a different continent. It happens a lot with tor. The numbers I am getting are between 200 and 400 ms. If you end up with an exit node on your continent, probably the query crossed the Atlantic twice.
Try it out, is not so bad! For comparison, I get 50 to 100 ms query time for on-continent connections in our own Firejail DNS over HTTPS proxy project.
You can find out where the circuit is terminated using torsocks (apt-get install torsocks):
62.102.148.68
(exit node in Sweden)
As Tor rebuilds the circuit every few minutes, the DNS traffic is continuously moving to another random server.
Odds and Ends
In other news, Fedora 33 implemented something called split DNS, an obscure enterprise feature you would never need on your home network. It also broadcasts all DNS traffic on D-Bus, opening the door for user-space applications to spy on your browsing habits. Sounds great, sign me up!
Run
(or similar) when you play music or videos downloaded over Tor. Media players have the bad habit of going on the web to grab whatever was promised in the metadata. In the process, they de-anonymize the user.
When you are using a DNS proxy – Tor, DoH, or otherwise – it is a good idea to cut down the DNS traffic coming from your browser. On a regular IPv4-only network go in about:config and disable IPv6 (network.dns.disableIPv6). This will remove half the traffic. Also, install an adblocker – about 40% of all DNS exchanges are ads.
But the easiest way to protect your DNS traffic is to enable DoH in your browser. Don’t necessarily go for the trusted resolver list embedded in the program, there are plenty to choose from. That’s all for now, have fun!
Appendix 1 – systemd unit file
-rw-r–r– 1 root root 286 Jan 19 09:42 /etc/systemd/system/cleanup.service
$ cat /etc/systemd/system/cleanup.service
[Unit]
Description=Custom shutdown system cleanup
DefaultDependencies=no
Conflicts=reboot.target
Before=poweroff.target halt.target shutdown.target
Requires=poweroff.target
[Service]
Type=oneshot
ExecStart=/etc/cleanup.sh
RemainAfterExit=yes
[Install]
WantedBy=shutdown.target
Reload systemd configuration and enable the service:
$ sudo systemctl enable cleanup
Appendix 2 – cleanup script
I use “sudo -u netblue” to run rm command as user netblue, just in case I mistype something and end up deleting system files:
-rwxr-xr-x 1 root root 224 Jan 19 09:46 /etc/cleanup.sh
$ cat /etc/cleanup.sh
#!/bin/sh -e
# clear user cache
sudo -u netblue rm -fr /home/netblue/.cache
# bash history, x11/xfce/vnc logs
#sudo -u netblue rm -f /home/netblue/.bash_history
#sudo -u netblue rm -f /home/netblue/.xsession-errors*
#sudo -u netblue rm -f /home/netblue/.xfce4-session.verbose-log*
#sudo -u netblue rm -f /home/netblue/.x11vnc.log*
# machine-id
rm -f /var/lib/dbus/machine-id
dbus-uuidgen > /var/lib/dbus/machine-id
cp /var/lib/dbus/machine-id /etc/machine-id
chmod 444 /etc/machine-id
exit 0
Appendix 3 – Tor Browser desktop file
-rwx–x–x 1 netblue netblue 412 Nov 1 09:20 /home/netblue/Desktop/tor.desktop
$ cat /home/netblue/Desktop/tor.desktop
[Desktop Entry]
Name=Tor
Exec=firejail –private=~/tor-browser_en-US ./start-tor-browser.desktop
#Exec=firejail –net=eth0 –private=~/tor-browser_en-US ./start-tor-browser.desktop
Icon=/home/netblue/.config/tor.svg
Terminal=false
Type=Application
Add an icon somewhere in your home directory and link it in your desktop file, then move the desktop file in ~/Desktop directory.
Firejail 
Thank you for your interesting tips.
But I have a question: Isn’t it enough to add machine-id to the globals.local profile?
LikeLike
You’re welcome!
Pulseaudio uses machine-id. The pulse server will check the number every time a new client tries to connect. When you start your program with –machine-id flag generating a new number, pulse server will refuse to connect your program, so there will be no sound playing.
If you put it in globals.local. probably only the first program you try to play something will work, and nothing after that.
LikeLike
i dont remoccend disabling ipv6
no good for user
or for tor network
ipv6 tor helps reduce loads
and is often
not blockeed by sites
tor
aside
plz enable ipvy6 privv xt on ur computers, helps much
there sysctl
to do it
#saveivvp6
LikeLike
Thank you for your comment. If you are on a home network and your ISP doesn’t support IPv6, you might as well disable IPv6 DNS queries (AAAA). It will cut your DNS traffic in half. This is the case for most home users.
Obviously, if you have IPv6 connectivity provided by your ISP, IPv6 will help a lot.
LikeLike
What does “Conflicts=reboot.target” mean in systemd unit file?
Wouldn’t it be better to cleanup on reboot also?
LikeLike
Sure, you can make it go active at reboot also.
LikeLike
the .sh and .service files don’t seem to be working on Mint. I keep getting an error when I run systemd-analyze.
/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
The service doesn’t cleanup anything on my machine or change the ID. I’ve changed the username to be correct for my machine, of course. I made the sh executable as well. Not sure what I’m missing.
LikeLike
Thank you for letting me know. The scripts were tested on Debian 10, I’ll try to install a Mint in a VM.
LikeLike
Thanks again for these great guides? Any update getting the scripts to work in Linux Mint (see errors above). Thank you!
LikeLike