On 12/20/2015 03:04 PM, spaceman wrote:
Hi,
Although I cannot say how secure this configuration is but you can run this kind of setup client side as well. So:
Bind --> DNSCrypt Proxy --> Tor --> DNSCrypt Compatible Server
You can do this, but Tor doesn't support all types of DNS queries.
Weasel and velope on #tor-project suggested that I remove DNSCrypt entirely and let Unbound be a recursive resolver against the root DNS servers, which I have now done. This way, I'm not using a third-party DNS server and Unbound is using a large cache and DNSSEC. Although DNSSEC doesn't provide confidentiality for DNS queries, it does provide authentication and integrity checks. Unbound with a large cache and DNSSEC re-enabled is probably superior to Unbound+DNSCrypt without DNSSEC. The point still stands though; you can secure and optimize an exit's DNS using Unbound.