Webtunnel relays default web page.
I cannot find were the index.nginx-debian.html and or the index.html files that display the nginx default web page resides. It’s not in the normal location. I would like to edit it to something more “real”. My tunnels do not have other domains residing on the servers.
I know once I know it, I will feel silly. find /-name does not dig out anything that seems right
Gerry
From: DocGerry via tor-relays <tor-relays@lists.torproject.org>
Sent: 22 October 2025 13:25
To: 'Nothing to hide' <mail@nothingtohide.nl>; foreststack@dmc.chat
Cc: tor-relays@lists.torproject.org
Subject: [tor-relays] Re: Exit relays and DNS privacy
Could not SOCAT be your friend?
Could it be set to listen to port 53 and send on to IPV4 anywhere or IPv6 locally or anywhere?
You can have many IPv6s for free on the main server.
I have just put unbound on my Pi5 PiHole at home and surprised that it has not added any noticeable delay in requests as it builds up its own cache
Gerry
From: Nothing to hide via tor-relays <tor-relays@lists.torproject.org>
Sent: 22 October 2025 11:17
To: foreststack@dmc.chat
Cc: tor-relays@lists.torproject.org
Subject: [tor-relays] Re: Exit relays and DNS privacy
Hi forest,
First of all it's great to see you running relays in such diverse locations. Good job. And indeed IPv4 addresses are insanely expensive nowadays, so alternative strategies to limit their usage is almost always a sound approach.
DNS is a complex topic with many considerations, but I think you're on the right track. Latency wise ideally you would find some location that covers a lot of middle ground between the relays, as to prevent some exit relays having a <20 ms DNS latency while others have >200 ms latency. But your relays are spread very far and wide so this may prove challenging.
Then timeless timing attack (and also correlation attack!) wise, I think one cache actually is better as long as you configure it properly. In theory, DNS centralization with a extensive cache is actually a good thing for DNS privacy since it limits the viability of correlation attacks. At Nothing to hide we're working on a project to limit timeless timing attacks and correlation attacks severely by making extensive use of DNS caching. As you have noted we wrote about it before here: https://nothingtohide.nl/blog/improving-dns-privacy/, but do note that we have made some good conceptual progression since then and that this blog is a bit outdated as a result.
We're still working on upgrading our networking and hardware capabilities before we can deploy our new DNS setup (hopefully in Q1-2026) and verify the different hypothesis we made about mitigating these attacks, but at a small scale you could already implement some basic measures. Some examples:
So "Would it be reasonable to dedicated a single, cheap VPS for DNS queries, and have all my other exits use it as their resolver over DoT?"? I think this is a reasonable approach, even when it adds some DNS latency (within reason) to your exit relays. But I would also try (where possible/feasible) to take some countermeasures against some of the more common/easy attacks. I think in many cases (even without extensive countermeasures) a centralized DNS recursor for your own exit relays, at the very least isn't a significant downgrade from running them locally on your exit servers.
When our DNS infra is finally upgraded you're free to use it as well (we can whitelist all your IP addresses), but in terms of latency it might be a bad fit since your relays are situated in other parts of the world. Perhaps there are Tor operator that run DNS recursors in South Africa, Moldova, US and Canada for you to use :). You could also ask in the IRC operators channel to see whether other operators can provide you with access to their recursors.
Hope this helps, feel free to discuss or ask about this topic!
Have a great day,
tornth