Private DNS Resolver as a Tor Hidden Service

Understanding what a private DNS resolver protects against: (1) ISP DNS logging: ISPs are required by law in many countries to log DNS queries. Using any resolver other than your ISP's still exposes your queries to your ISP unless the DNS query itself is encrypted (DoH/DoT). Routing DNS queries through Tor means your ISP sees Tor traffic, not DNS queries. (2) Commercial resolver logging: Google DNS, Cloudflare DNS, and other commercial resolvers have privacy policies but can be compelled by legal process to produce query logs. A self-hosted resolver produces query logs you control. (3) DNS-based censorship: ISPs and governments manipulate DNS responses to block access to certain domains. A resolver that performs its own recursive resolution from root servers returns accurate responses regardless of ISP or governmental interference. Tor provides the transport layer that makes all three protections practical.

Unbound is a validating, recursive, caching DNS resolver. Install: apt install unbound. Configure /etc/unbound/unbound.conf: set interface: 127.0.0.1 and interface: ::1 (localhost only), port: 53, access-control: 127.0.0.1/32 allow, enable DNSSEC validation (auto-trust-anchor-file: /var/lib/unbound/root.key), enable DNS-over-TLS for upstream queries (forward-tls-upstream: yes if using forward zones). Configure Tor to expose Unbound: HiddenServicePort 53 127.0.0.1:53 in torrc. Clients route DNS queries through Tor to the .onion resolver using DNSPort in their local Tor configuration or via torsocks. Unbound performs full recursive resolution from root servers by default - no forwarding to external resolvers unless explicitly configured.

AdGuard Home combines DNS resolution with ad and tracker blocking using DNS blocklists. Install from the official script or package. Configure AdGuard Home to listen on 127.0.0.1:53 (DNS) and 127.0.0.1:3000 (web interface). Configure Tor to expose both: HiddenServicePort 53 127.0.0.1:53 and HiddenServicePort 80 127.0.0.1:3000. The web interface is accessible via Tor Browser for managing blocklists and viewing query statistics. AdGuard Home forwards DNS to upstream resolvers (configure to use DNS-over-HTTPS to Quad9 or Cloudflare, or configure Unbound as the upstream). The combination of AdGuard Home for ad blocking and Unbound for recursive resolution provides both privacy and content filtering. Blocklist updates: configure AdGuard Home to fetch blocklist updates through Tor by setting HTTP_PROXY in the AdGuard Home service environment.

Configuring clients to use a .onion DNS resolver requires the client to be connected to Tor. Configuration options: (1) Tor's DNSPort: configure the local Tor client with DNSPort 5353 in torrc. Set system DNS to 127.0.0.1:5353. Tor then resolves DNS using its own mechanism (exit node resolution), not your .onion resolver - this resolves domain names but does not use your private resolver. (2) For true .onion resolver usage: configure the local Tor client to route DNS queries through a SOCKS proxy to the .onion resolver. This requires additional configuration. (3) Application-level DNS: configure individual applications to use a SOCKS5 proxy (Tor) and rely on socks5h (resolve via proxy) for DNS. The application's DNS queries are resolved by the proxy endpoint (your .onion resolver).

A self-hosted DNS resolver provides visibility into your DNS query patterns without sharing this data with third parties. Unbound query logs: enable log-queries: yes in unbound.conf. Logs show every query resolved, including domain, query type, and response. For analytics: forward logs to a log aggregation tool. AdGuard Home includes a built-in query log viewer accessible via its web interface (.onion URL). Review query logs to: identify applications making unexpected DNS queries (potential data exfiltration), see which domains are blocked by your blocklists, monitor resolver performance (response times), and audit DNS query volume for anomaly detection. Keep query logs only as long as needed - they are a privacy-sensitive data source.