On 07.10.17 19:39, jpmvtd261@laposte.net wrote:
It looks like this package could introduce vulnerabilities if not handled properly, because it provides more than just local DNS cache.
Unless you have a particular reason to use "dnsmasq", I strongly suggest you use "unbound" (https://www.unbound.net) instead. It supports DNSSEC and is very easy to configure. Here's a config file for a Tor node with both IPv4 and IPv6 interfaces:
# /etc/unbound/unbound.conf server: interface: 127.0.0.1 interface: ::1 root-hints: "/etc/unbound/named.cache" log-queries: no verbosity: 0
Optional: If your node has multiple IP addresses and you want to use a specific one (usually one not used for Tor) for outbound connections, add the line "outgoing-interface: {your-ip-here}" to unbound.conf.
While "log-queries: no" is the default setting, I always add it anyway, in case the unbound authors decide to change this in future releases, however unlikely.
-Ralph