On 08.10.17 11:46, Toralf Förster wrote:
May I asked, why you prefer unbound ?
The OP was concerned than dnsmasq "could introduce vulnerabilities if not handled properly, because it provides more than just local DNS cache". In contrast, Unbound has a single purpose(*), and I found it to be a reliable, low-impact combination with my Tor nodes -- especially on nodes with scant resources -- that needs very little config data and was designed with security in mind.
I did not mean to say Unbound is the only choice, just that I strongly prefer it over dnsmasq. For my authoritative nameservers I use BIND, but when a resolver suffices, as is the case for Tor nodes, I use Unbound.
-Ralph
(*) http://info.menandmice.com/blog/bid/37244/10-Reasons-to-use-Unbound-DNS is one example blog about Unbound. The DNSSEC config can be much simpler though, when using auto-trust-anchor-file.