<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoPlainText>Here's what I personally recommend: <o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>1. Make sure that /etc/resolv.conf contains 127.0.0.1 only. Ensure you have no DNS servers specified in /etc/network/interfaces. This will ensure that all DNS traffic will go through dnsmasq.<o:p></o:p></p><p class=MsoPlainText>2. You can start by editing /etc/dnsmasq.conf as follows:<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText style='margin-left:.5in'># Only listen on loopback<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'>interface=lo<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'>bind-interfaces<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p><p class=MsoPlainText style='margin-left:.5in'># DNS servers<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'>no-resolv<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'>no-poll<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'>no-hosts<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'>server=8.8.4.4<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'>server=8.26.56.26<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'>server=74.82.42.42<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'>server=64.6.64.6<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'>server=8.8.8.8<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'>server=8.20.247.20<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'>server=64.6.65.6<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p><p class=MsoPlainText style='margin-left:.5in'># Performance<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'>cache-size=10000<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'>dns-forward-max=2048<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p><p class=MsoPlainText style='margin-left:.5in'># No DHCP or TFTP<o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'>no-dhcp-interface=1<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>3. The value of dns-forward-max is just a rough guess for a high-capacity Exit relay. Please feel free to tune it.<o:p></o:p></p><p class=MsoPlainText>4. Use ss or netstat to make sure that dnsmasq only opens port 53 on the loopback interface (lo, 127.0.0.01) and does not listen on any external network interfaces.<o:p></o:p></p><p class=MsoPlainText>5. If you have iptables configured, please make sure you allow traffic to port 53 from 127.0.0.1.<o:p></o:p></p><p class=MsoPlainText>6. You can find the IP addresses of some public DNS servers here: <a href="https://www.lifewire.com/free-and-public-dns-servers-2626062">https://www.lifewire.com/free-and-public-dns-servers-2626062</a>.<o:p></o:p></p><p class=MsoPlainText>7. Consider adding any DNS servers that your ISP may provide (ask them).<o:p></o:p></p><p class=MsoPlainText>8. PLEASE exclude any DNS servers that attempt to censor/filter any web addresses (such as “Comodo Secure DNS”).<o:p></o:p></p><p class=MsoPlainText>9. I recommend picking DNS servers with the lowest ping latency to your Tor relay (i.e. try pinging them manually).<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Thanks for running a Tor relay!<o:p></o:p></p><p class=MsoPlainText>- Igor<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>-----Original Message-----<br>From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of jpmvtd261@laposte.net<br>Sent: Saturday, October 7, 2017 10:39 AM<br>To: tor-relays@lists.torproject.org<br>Subject: [tor-relays] dnsmasq configuration for an exit relay (Debian)</p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Hello,<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>I am looking for instructions on how to configure dnsmasq on a Debian exit relay (in order to cache DNS queries).<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>It looks like this package could introduce vulnerabilities if not handled properly, because it provides more than just local DNS cache.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>If I had to install it without any advice, I would do this :<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>1) Install dnsmaq package with the command "aptitude install dnsmask" .<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>2) Make sure that the first line of the file /etc/resolv.conf is "nameserver 127.0.0.1" (see <a href="https://wiki.debian.org/HowTo/dnsmasq#Local_Caching"><span style='color:windowtext;text-decoration:none'>https://wiki.debian.org/HowTo/dnsmasq#Local_Caching</span></a> ).<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>3) Make sure that the file /etc/dnsmasq.conf contains the line "listen-address=127.0.0.1" (to restrict dnsmasq to the local system).<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>4) Set the cache size to 10000 by adding or editing this line "cache-size=10000" in the file /etc/dnsmasq.conf (as suggested by Igor Mitrofanov here <a href="https://lists.torproject.org/pipermail/tor-relays/2017-August/012708.html"><span style='color:windowtext;text-decoration:none'>https://lists.torproject.org/pipermail/tor-relays/2017-August/012708.html</span></a> ).<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>5) Reboot (is it necessary ?).<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Does anyone think that this procedure could start a daemon listening on a port of my server ? Or is it safe to do this on my exit relay ?<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Regards<o:p></o:p></p><p class=MsoPlainText>_______________________________________________<o:p></o:p></p><p class=MsoPlainText>tor-relays mailing list<o:p></o:p></p><p class=MsoPlainText><a href="mailto:tor-relays@lists.torproject.org"><span style='color:windowtext;text-decoration:none'>tor-relays@lists.torproject.org</span></a><o:p></o:p></p><p class=MsoPlainText><a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays"><span style='color:windowtext;text-decoration:none'>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</span></a><o:p></o:p></p></div></body></html>