Hey,
The package Unbound can be nice ? I'm using it on the LAN... My Unbound set up is using the root.hints, so I think it's always and only speaking with those root DNS servers... But I've read on some tutorials, ISP and others "men-in-the-middle" can intercept DNS queries, and answer to your server... so this solution can't be 100% secure, like any DNS solution. Here, Unbound is set up to speak only with root DNS servers:
apt-get install unbound cd /etc/unbound
-download the root.hints file: wget ftp://ftp.internic.net/domain/named.cache -O /etc/unbound/root.hints
-generate TLS keys (dnssec): unbound-control-setup
-change owner + rights : chown unbound:root unbound_* chmod 440 unbound_*
-add the line to use root.hints file: nano /etc/unbound/unbound.conf
root-hints: "/etc/unbound/root.hints"
-if you want to check your config file: unbound-checkconf /etc/unbound/unbound.conf
-verify in the /etc/resolv.conf file (already said, but always check another time!): nameserver 127.0.0.1
I hope this helps, and my configuration is ok?! And don't know if Unbound is ready for an exit node? (performance) I'm only using it on some little LAN without any issues.
Le 15/05/2016 20:37, Philipp Winter a écrit :
I created a new diagram that illustrates the popularity of DNS resolvers used by exit relays. The diagram shows nine autonomous systems that hosted the most popular resolvers at some point over the last months. These autonomous systems are owned by Google, INIT7, LeaseWeb, Visual Online, OVH, OpenDNS, NForce Entertainment, Cyberdyne, and Level3. The x axis shows time and the y axis shows the fraction of DNS requests that the respective AS can observe: https://nymity.ch/dns-traffic-correlation/img/exit-resolvers-2015-05.png
The two most popular setups are Google's 8.8.8.8 and local resolvers, i.e., exit relays doing their own resolution. Occasionally, Google got to see more than 40% of all DNS requests exiting the Tor network. That is concerning, particularly given Google's role in the PRISM program. No other autonomous system is getting even close.
Please refrain from using 8.8.8.8. Instead, set up your own resolver, or at least use the one provided by your ISP. Here's Peter's quick guide on how to set up your own resolvers [1]:
On Thu, Jan 08, 2015 at 04:11:09PM +0100, Peter Palfrader wrote:
o apt-get install unbound o remove all nameserver entries in /etc/resolv.conf and add one for the local recursor. Either manually or use (untested): sed -i -e 's/^nameserver /#&/; $a nameserver 127.0.0.1' /etc/resolv.conf o prevent anything else from modifying that file ever again: chattr +i /etc/resolv.conf
Note that running your own resolver is not universally safer because the exposure of DNS requests to network adversaries is greater. It's a tricky trade-off that we are currently trying to understand better [2], but increased exposure to network-level adversaries seems less bad than having Google see almost half of all DNS requests.
If you are wondering how I created the above diagram, have a look at the measurement method [3].
[1] https://lists.torproject.org/pipermail/tor-relays/2015-January/006147.html [2] https://nymity.ch/dns-traffic-correlation/ [3] https://lists.torproject.org/pipermail/metrics-team/2016-February/000078.html
Cheers, Philipp _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays