Please see the RFC that describes the recursive resolution algorithm: https://tools.ietf.org/html/rfc1034.
Unbound is a simple recursive resolver. If it does not know the IP, it has to ask - there is no way around asking. The fact that you do not know what network links Unbound relies on ("just let it do its magic") does not make your Exit relay any more secure.
Unbound's upstream requests can be intercepted and used in traffic correlation just like any other. Yes, Unbound follows the recursive protocol and works with the hierarchy from the root DNS servers down, but your ISP can still observe your entire DNS activity. This is very similar to running dnsmasq configured to work the DNS server hosted by the ISP (which then performs the recursive functions) - except in my case there isn't one.
On Sun, Oct 8, 2017 at 10:59 AM, Ralph Seichter m16+tor@monksofcool.net wrote:
On 08.10.17 19:48, Igor Mitrofanov wrote:
My hosting provider runs no DNS servers and recommends using 8.8.x.x, so I have to pick something.
You don't have to pick, and this is not meant to be patronising. Install Unbound with the few lines of configuration I posted earlier in this thread, and set your /etc/resolv.conf to "nameserver 127.0.0.1". Unbound will contact upstream servers as required. You don't have to configure *any* upstream servers manually.
See https://en.wikipedia.org/wiki/Domain_Name_System "Address resolution mechanism" for what will happen under the hood.
-Ralph
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays