Here's what I personally recommend:
1. Make sure that /etc/resolv.conf contains 127.0.0.1 only. Ensure you have no DNS servers specified in /etc/network/interfaces. This will ensure that all DNS traffic will go through dnsmasq.
2. You can start by editing /etc/dnsmasq.conf as follows:
# Only listen on loopback
interface=lo
bind-interfaces
# DNS servers
no-resolv
no-poll
no-hosts
server=8.8.4.4
server=8.26.56.26
server=74.82.42.42
server=64.6.64.6
server=8.8.8.8
server=8.20.247.20
server=64.6.65.6
# Performance
cache-size=10000
dns-forward-max=2048
# No DHCP or TFTP
no-dhcp-interface=1
3. The value of dns-forward-max is just a rough guess for a high-capacity Exit relay. Please feel free to tune it.
4. Use ss or netstat to make sure that dnsmasq only opens port 53 on the loopback interface (lo, 127.0.0.01) and does not listen on any external network interfaces.
5. If you have iptables configured, please make sure you allow traffic to port 53 from 127.0.0.1.
6. You can find the IP addresses of some public DNS servers here: https://www.lifewire.com/free-and-public-dns-servers-2626062.
7. Consider adding any DNS servers that your ISP may provide (ask them).
8. PLEASE exclude any DNS servers that attempt to censor/filter any web addresses (such as “Comodo Secure DNS”).
9. I recommend picking DNS servers with the lowest ping latency to your Tor relay (i.e. try pinging them manually).
Thanks for running a Tor relay!
- Igor
-----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of jpmvtd261@laposte.net Sent: Saturday, October 7, 2017 10:39 AM To: tor-relays@lists.torproject.org Subject: [tor-relays] dnsmasq configuration for an exit relay (Debian)
Hello,
I am looking for instructions on how to configure dnsmasq on a Debian exit relay (in order to cache DNS queries).
It looks like this package could introduce vulnerabilities if not handled properly, because it provides more than just local DNS cache.
If I had to install it without any advice, I would do this :
1) Install dnsmaq package with the command "aptitude install dnsmask" .
2) Make sure that the first line of the file /etc/resolv.conf is "nameserver 127.0.0.1" (see https://wiki.debian.org/HowTo/dnsmasq#Local_Caching https://wiki.debian.org/HowTo/dnsmasq#Local_Caching ).
3) Make sure that the file /etc/dnsmasq.conf contains the line "listen-address=127.0.0.1" (to restrict dnsmasq to the local system).
4) Set the cache size to 10000 by adding or editing this line "cache-size=10000" in the file /etc/dnsmasq.conf (as suggested by Igor Mitrofanov here https://lists.torproject.org/pipermail/tor-relays/2017-August/012708.html https://lists.torproject.org/pipermail/tor-relays/2017-August/012708.html ).
5) Reboot (is it necessary ?).
Does anyone think that this procedure could start a daemon listening on a port of my server ? Or is it safe to do this on my exit relay ?
Regards
_______________________________________________
tor-relays mailing list
mailto:tor-relays@lists.torproject.org tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays