Tor socks dns leak problem fix for win32 (Windows XP) using treewalk

by C. Wilson


The Tor SOCKS DNS leak giveaway seems to be Windows applications using your original IP address to do DNS requests instead of through the Tor socks tunnel, which gives away your original ISP IP address to the dns server your system connects to in Windows. This fix will allow you to run a dns nameserver on your own win32 machine to avoid IP giveaways when using web based dns servers. This guide is for windows XP, but you should be able to set up Windows networking on other win32 OS to achieve the same operation.

Warning: There are the following levels of vulnerability:

  • All DNS is done trough the TOR tunnel. Best security.
  • DNS is processed by a local DNS server. Middle level security.
  • DNS requests are sent to a remote DNS server. Lowest level security.

This document describes how to achieve the middle item: local DNS. The difference is, that with a remote (say ISP) DNS server doing all resolving the DNS can be tracked trivially my turning on logging on the DNS server. Ah, why would Mr. Smith be interested in

Bot solutions, with a local or remote DNS server, can be tracked also by logging and tracing DNS traffic. This is much more bothersome than just turning on the logging, which might happen during normal operation. Having local DNS server has the additional benefit, that there is no central choke point where all DNS traffic is tracked through, because the local DNS server usually sents requests to the authorative DNS servers for the names sought.

Getting Started

I am not an expert at TCP/IP networking, so I'm not completely sure this is a solution for the problem, although communicating with the Tor server operators, they have said that running a dns server on localhost ( and pointing the windows network dns server address to localhost fixes the dns leak in Tor. You will still get dns leak warnings in Tor wen usings, for example, socks5 with Tor, but dns requests will (in theory) be done locally, not remotely.

First, you have to download Treewalk at

You may also have to download Bind from

I am not sure if Treewalk comes with bind, or if bind is required to be installed as well.

Installation and Setup

Windows XP or Windows 2003 fix

You will probably experience problems with Treewalk if you are running Windows XP or Windows 2003, which concerns using locahost as the dns server. The following guide fixes the problem:

Due to some changes in the network stack, MicrosoftR Windows XP, 2003 (and later) may not play well if you use as the DNS address. If you experience excessive CPU usage from the TreeWalk process, try the following:

  • Uninstall TreeWalk, reboot
  • Right click on "My Computer", select "Properties" then "Hardware" and "Add New Hardware"
  • Select the "Add New Hardware" option
  • Select "Add New Hardware" again from the list
  • Select "From a list"
  • Select "Network Cards" then in the left hand list select "Microsoft" and in the right one select "Microsoft Loopback Adapter" Confirm and proceed to install the Virtual Adapter driver Open the newly installed adapter properties and setup its TCP settings using a subnet different from any other subnet you're using (a good choice may be using with a subnet mask of
  • Now proceed installing TreeWalk, once the setup completes, reboot the machine, then edit your TCP settings and replace the DNS address from to the address you used for your loopback adapter (e.g.
  • Reboot again and you'll be up and running

An alternative to the above may be to apply this patch listed at the Microsoft Knowledge Base:;en-us;88402

The instructions above seemed to be out of context when installing the virtual loopback device in windows XP, so I suggest using the "add hardware" function in control panel (Click Start, control panel, select "switch to classic view" if you are not in classic control panel view, and select add hardware, click next, after windows searches for new hardware, select "Yes. I have already connected the hardware", then click next, scroll through the list and highlight "Add a new hardware device" and click next, select "Install the hardware that I manually select from a list" and click next. Select "Network adapters" and click next, In "Manufacturer" select microsoft, then in "Network adapter" select "microsoft loopback adapter" then click next. then click next again to complete install. Follow the directions above to setup loopback IP and subnet addresses for loopback adapter.

Install Treewalk

Install Treewalk before bind, and if the service will not run (Click start, all programs, treewalk, service, start dns service) then you will need to install bind.

Treewalk seems to come pretty much pre-configured, although there is certain settings in the TReewalk config file, like subnet settings and so forth which I am not familiar with. The documentation for bind and Treewalk does not seem to be very descriptive upon configuring them. The Treewalk config files are auto-generated when installing Treewalk. Use at your own discretion.

Setting up your new local DNS server in Windows networking

Click on start, control panel, network connections, and right click on your internet connection and select properties. Click on "internet protocol (tcp/ip)" and select properties. Select "Use the following DNS server addresses" and enter in "Preferred DNS server" and leave the "alternat DNS server" blank. Click ok, click ok, then right click on your internet connection again and select "disable", wait until connection is disabled, then right click on the connection again and select "enable". Once your internet connection says "connected" or "connected, firewalled" right click on the connection again and select properties, then "internet protocol (tcp/ip)" then click on properties, and see if any dns server addresses are there other than you should only see in "preferred DNS server" and a blank in "alternate DNS server", if not, you must somehow fix this problem on your own. For some reason Treewalk was adding a dns server automatically to the "alternate DNS server" entry when I first began to test Treewalk. The extra added dns server address seems to be auto-configured by Treewalk and seemed to be my ISP DHCP address or something or other. If you are using Treewalk without the microsoft loopback adapter, make sure localhost ( is in the preferred dns server address box and that no ther server address is in the alternate dns server address box, before using the Treewalk dns server with Tor, otherwise , if there is a web based dns address in the dns configuration of windows, applications that leak data will still do so. If you are using the loopback device, substitute for the ip address you entered in the tcp/ip field in the loopback device network properties. I can not at this time provide a way to stop Treewalk or windows from automatically adding the alternate dns server, if so be that will occure on your system at all. Do not use any web based DNS server addresses in the windows DNS server configuration. If you are using the loopback device, only use the loopback address in the preferred DNS server box, and make sure the alternate DNS server box is empty. Using a fake IP or localhost in the alternative DNS box will cause errors, such as " can not be resolved". Checking the DNS status of the connection (Click start, control panel, network connections, right click on your internet connection, select status, select the support tab, then click details) should only read the address you configured with the loopback device (If you run windows XP/2003) or it should say if you are not using the loopback device. No other DNS server addresses should be listed, otherwise you are going to have problems.

Starting your local DNS Server

Click on start, all programs, Treewalk, service, start dns service. You should see a command console explaining that it is starting the service. Once the service starts, your new dns server should be active.


In theory, although Tor will still give a dns leak warning, you should be free from any applications leaking IP information over the internet. There are other dns server applications available on the web that achieve the same dns local namservice, such as Simple DNS plus, which in concept achieves the same operation as Treewalk, but Treewalk is free of charge.

Your Tor connection should now be corrected concerning DNS leaks. Have fun!

  1. Wilson
Last modified 8 years ago Last modified on Jun 11, 2011, 3:21:02 PM