Bright Star, thank you for your elaborate explanation!

On Sep 10, 2013, at 09:45 , Bry8 Star wrote:
Set your Recursive/caching DNS-Server portion in BIND to listen on
127.0.0.1:53, And set your machine's Network adapter's DNS-Server
settings to use only 127.0.0.1 as your DNS-Server, then all local
software can use your own DNS-Server, running on 127.0.0.1 ip-address.

That is how I have configured BIND now. I use the registrars' DNS server to resolve my exit nodes' name, so I don't have to expose port 53 publicly.

Best is to turn off any logging/recording in BIND/unbound dns
software, unless you are troubleshooting something.

I have logging enabled because I am seeing a lot of these in /var/log/syslog:

Sep  8 22:13:59 tor-exit named[11467]: lame server resolving 'www.example.hk' (in 'example.hk'?): 123.123.123.123#53
Sep  8 22:14:17 tor-exit named[11467]: error (connection refused) resolving 'www.example.com/A/IN': 123.123.123.123#53
Sep  8 22:14:18 tor-exit named[11467]: validating @0x123456789abc: www.example.com A: no valid signature found
Sep  8 22:14:32 tor-exit named[11467]: error (unexpected RCODE REFUSED) resolving 'www.example.de/A/IN': 123.123.123.123#53

Are that many errors to be expected when operating a Tor exit (and thus resolving a lot of unusual domainnames)? Once someone can reassure me this is "normal", I will disable logging.

Moreover, I noticed a lot of wierd upper/lowercase variants, like "wwW.eXAmPLe.CoM". Domainnames are case-insensitive, but the original spelling is forwarded through all resolvers, so this would enable adversaries to do some tracking/tracing if people have misconfigured their Tor client and suffer DNS leakage. May I suggest that Tor converts all domainnames to lowercase before trying to resolve them?

// Yoriz