El 08/10/17 a las 09:17, Ralph Seichter escribió:
On 07.10.17 19:39, jpmvtd261@laposte.net wrote:
It looks like this package could introduce vulnerabilities if not handled properly, because it provides more than just local DNS cache.
Unless you have a particular reason to use "dnsmasq", I strongly suggest you use "unbound" (https://www.unbound.net) instead. It supports DNSSEC and is very easy to configure. Here's a config file for a Tor node with both IPv4 and IPv6 interfaces:
# /etc/unbound/unbound.conf server: interface: 127.0.0.1 interface: ::1 root-hints: "/etc/unbound/named.cache" log-queries: no verbosity: 0
Optional: If your node has multiple IP addresses and you want to use a specific one (usually one not used for Tor) for outbound connections, add the line "outgoing-interface: {your-ip-here}" to unbound.conf.
While "log-queries: no" is the default setting, I always add it anyway, in case the unbound authors decide to change this in future releases, however unlikely.
I would also suggest to use DNS-over-TLS, so (exit) relays could be able to encrypt their queries to a privacy-aware DNS resolver, such as those found in: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
server: ssl-upstream: yes
forward-zone: name: "." forward-addr: 2001:470:1c:76d::53@853 # dkg - dns.cmrg.net forward-addr: 199.58.81.218@853 # dkg - dns.cmrg.net forward-addr: 2a04:b900:0:100::37@853 # getdnsapi.net forward-addr: 185.49.141.37@853 # getdnsapi.net forward-addr: 2001:913::8@853 # LDN forward-addr: 80.67.188.188@853 # LDN ...
Other more privacy-aware option is to use the Stubby DNS privacy daemon, but it is still to experimental:
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby