On 01/08/2015 10:04 AM, Nick Mathewson wrote:
Hi, all!
While looking into a bug report, I noticed that an exit node was using one of Google's well-known public DNS servers for its own DNS server.
No disrespect to the operators of Google's fine public DNS service, but my sense is that using it for a Tor exit node might not be the greatest idea for users' privacy, having one DNS provider that gets to see so many requests. It's probably a better idea to have your own local cacheing DNS server.
Would anybody like to share a guide about how to set one of those up safely and migrate correctly?
best wishes,
Nick _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I actually just switched to unbound, which is included in the OpenBSD base system as of the most recent release.
Aside from starting it, all you have to do is add the following to your /etc/rc.conf.local so that it starts up on boot:
unbound_flags=""
And add 'nameserver 127.0.0.1' as the first line of your /etc/resolv.conf.tail (and, for the time being, /etc/resolv.conf - see the man pages for details). I still have an OpenDNS server and a Google server listed below it in case something goes wrong with the local one.
Here's Michael Lucas's guide, which includes information on how to test your DNS server, how to restrict access (although that seems to be default now), and how to set up DNSSEC in a minute or two:
http://blather.michaelwlucas.com/archives/580
Ignore his installation instructions. They were written before it was included in the base system.