11 May
2018
11 May
'18
12:52 p.m.
On 11.05.18 13:55, Nathaniel Suchy (Lunorian) wrote:
My first thought is to use ISP DNS if it’s available - one of the best things about Tor is the split of trust so why aren’t we doing that with DNS? Another alternative is to use trusted recursive DNSCrypt Resolvers (for example dnscrypt.ca - there are plenty of resolvers like this so use a search engine of your choice to find them).
Assuming you can install whatever software you like, I recommend running your own instance of Unbound on your exit node machines. Current Unbound versions support DNSSEC validation, QNAME minimisation, etc. While using your ISP's resolvers works as a fallback, a local resolver is better and easy enough to set up.
-Ralph