TL;DR, if I understand how Tor relays work, Unbound (or any local DNS server) should see a request for example.com coming from localhost or 127.0.0.1. It answers the request, stores it in cache just in case, rinse and repeat. The machine running the exit relay is the one that makes the DNS request, so the only thing you'd get from looking at the DNS cache would be a "Top 100 Websites This Tor Relay Visits" sort of list.
From what I could find, a DNS cache contains the hostname and its
associated IP address, nothing more. From what I understand, even if a DNS cache saved the source of the request, it should save "127.0.0.1" or "localhost" as the source, since exit nodes are the source of the request, and simply forward the response back to the client.
I couldn't find anything specific about Unbound, but it seems like there isn't a proper way to read the DNS cache anyway unless you can somehow decode the binary file. I suppose if you know the specific cache file, you could copy it to a different machine with Unbound installed, and possibly extract data from that, but this theory assumes the cache is saved to the hard drive, and it's probably only stored in RAM.
On Sun, Oct 16, 2016 at 2:33 PM, Petrusko petrusko@riseup.net wrote:
Is there a way to know "who" has made this DNS query by reading the cache ? May be you can know there are 30 people have looked for google.com during the last 5 minutes, but "who" has made those DNS queries looks like difficult ? (I'm not an expert on hacking :p )
16/10/2016 21:28, Tristan :
Unbound does cache DNS entries, but there was also serious discussion about whether or not the cache is a privacy risk/anonymity leak, but I feel it's worth the trade-off since public DNS servers do the same thing.
-- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays