Firejail BitTorrent Sandboxing Guide

When it comes to your security and privacy, it is always better to build your own. Like a chef cooking a meal. Good or bad, at least you know what you put in. Here’s our bittorrent recipe, deep-fried edition.


One browser… I guess you’ve seen this picture before. Only Downloads directory is real, and some miscellaneous configurations files.

Mozilla Firefox – sandboxed home directory

The bittorrent client is similar: only Downloads. Make sure you save the files in this directory, otherwise you lose them when you close the client.

Transmission-Qt – sandboxed home directory

Note: in general, network-facing applications in Firejail have a downloads-only home directory. We also make the home directory non-executable, and if AppArmor is running on your system we deploy our own profile and enforce it. The only rule is ALWAYS SAVE FILES IN DOWNLOADS!

But the big deal when talking bittorrent is the good old Domain Name Server (DNS). Here is a DNS trace left behind by a bittorrent client, information you cannot justify if they start asking questions. The fix is to encrypt the DNS traffic. We use our own DNS over HTTPS proxy server, available as a separate package.

DNS BitTorrent trace


Cooking Like a Pro

If you are a Debian/Ubuntu user, grab the latest Firejail Security Sandbox and Firejail DoH Proxy (FDNS) .deb archives from here and here. Arch and Fedora people already have the latest Firejail version available in the package manager, and FDNS is a simple ./configure && make && sudo make install.

$ sudo apt-get install firejail_xyz.deb
$ sudo apt-get install fdns_xyz.deb

Once everything is installed, start the proxy:

$ sudo fdns --daemonize

The proxy chooses a random server from a large list. All servers are non-censoring and non-logging, the vast majority non-corporate. Speed doesn’t seem to be an issue, but we do a very simple geolocation based on your computer’s timezone setting. We don’t send any packets to geolocation services. To track the DNS traffic, as a regular user run

$ fdns --monitor

Time to start the browser and the bittorrent client:

$ firejail --dns= firefox &
$ firejail --dns= transmission-qt &

Firejail allows each sandbox to have its own DNS configuration. In this case we use the loopback address where FDNS listens by default. All the DNS traffic from the two independent sandboxes goes through the proxy. The proxy will encrypt it and hopefully will bypass the censorship going on ISP network.


Food Safety and Sanitation

Sandbox security has been described in various other places. I’ll talk instead about DNS security. In FDNS we put in place a DNS firewall. It “understands” the DNS protocol and it can detect whether harmful traffic is being sneaked into your system. We also apply an adblock filter. Not only it reduces the DNS traffic, but it also eliminates a lot of trackers, malware, and bitcoin miners.

DNS ad traffic

Bootnet Command and Control. It is estimated 90% of malware uses DNS for C&C. Once installed, the malware issues a number of DNS queries to retrieve instructions from the central server. Most of them use DNS TXT or NULL records although other records have been seen in the wild. In our DNS firewall we drop all DNS requests other than A (IPv4 address) and AAAA (IPv6 address). These records should be enough to run a regular Linux or Windows desktop, while cleaning up most bootnet C&C traffic.

This is a dns2tcp client (sudo apt-get install dns2tcp) trying to connect to a remote server using TXT records:

DNS malware Command&Control traffic

Note: No technology available today will stop a C&C channel based on A or AAAA records. Although the channel has a very low throughput, it is actively being used for DNS tunneling and data exfiltration by highly creative and sufficiently motivated individuals. Probably a lot of state actors too.

Speaking of tunneling, the picture below is an Iodine client (sudo apt-get install iodine) looking for the remote server using various DNS record types. It will finally connect using A records, all other records being dropped by FDNS.

iodine DNS tunneling utility

Note: iodine is mostly used to bypass captive portals in hotels, airports etc. Don’t run it behind FDNS, it will slow down your browsing considerably.

DNS rebinding attacks. We parse the incoming responses and look at the returned IP addresses. And we drop local network addresses, although this particular example could be a misconfigured DNS server.

DNS Rebinding attack

And finally CNAME cloaking. Online advertising companies started using cloaking in order to trick web browsers into thinking they are serving first-party advertising instead of third-party. It could even track Tor users. It can be blocked at DNS level by a proxy such as FDNS, or by a real DNS server. In Firefox use uBlock Origin. Mozilla Firefox runs its own stub DNS resolver and exposes the info necessary to shut them down.

CNAME cloaking used for tracking and advertising

Bon appetite!


7 thoughts on “Firejail BitTorrent Sandboxing Guide

  1. Pingback: Firejail BitTorrent Sandboxing Guide | OSINT

  2. Pingback: Firejail BitTorrent Sandboxing Guide - ZRaven Consulting

  3. Pingback: Firejail BitTorrent sandboxing guide | 0ddn1x: tricks with *nix

  4. Glenn

    I am having troubles with fdns and I don’t have the knowledge to figure out what is going wrong so I am just going to throw a bunch of information at you. I am using Debian and when I run “sudo fdns” it outputs “Error: a different DNS server is already running on”. I am running a Pi-Hole on a Raspberry Pi and not on my computer. My DNS queries are routed to the Pi-Hole. I am not aware of any other DNS servers running.
    Also, “fdns –monitor” shows two error messages over and over: “(1) Error: dot timeout” and “(0) Error: failed SSL read, retval 0”.
    Any help would be appreciated.


    1. netblue30 Post author

      They do have a DNS proxy in Ubuntu running by default, I think it is on

      Let’s try to debug it. Reset your computer and login into your desktop. Then, in a terminal run the following commands as a regular user:

      ss -nulp
      cat /etc/resolv.conf
      fdns –proxies

      Post the output here.


  5. Alexsander


    I’ve got used to follow this tutorial and it worked perfectly on debian 11 stable. Therefore, after last update it stopped working – always get these message when launching firefox:

    $ firejail –dns= –private firefox-esr
    Reading profile /etc/firejail/firefox-esr.profile
    Reading profile /etc/firejail/firefox.profile
    Reading profile /etc/firejail/
    Reading profile /etc/firejail/firefox-common.profile
    Reading profile /etc/firejail/
    Reading profile /etc/firejail/
    Reading profile /etc/firejail/
    Reading profile /etc/firejail/
    Reading profile /etc/firejail/
    Reading profile /etc/firejail/
    Reading profile /etc/firejail/
    Reading profile /etc/firejail/
    Warning: networking feature is disabled in Firejail configuration file
    Warning: Warning: NVIDIA card detected, nogroups command disabled
    Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
    Parent pid 4680, child pid 4683

    DNS server

    Warning: An abstract unix socket for session D-BUS might still be available. Use –net or remove unix from –protocol set.
    firejail: util.c:910: create_empty_dir_as_root: Assertion `(s.st_mode & 07777) == (mode)’ failed.
    Error: proc 4680 cannot sync with peer: unexpected EOF
    Peer 4683 unexpectedly killed (Segmentation fault)

    Thanks in advance



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.