Hi,
When I set up a Tor Exit, I set up a local resolver (BIND) as a cache. Today, I was monitoring the syslog, and I noticed that BIND logs DNS names when resolution fails. (I have since removed these entries from the logs.)
One way to prevent this is to disable logging on BIND entirely:
logging { category default { null; }; };
Another is to isolate the categories that log DNS names, and disable them individually:
logging { // these categories log DNS names category dnssec { null; }; category edns-disabled { null; }; category lame-servers { null; }; category resolver { null; }; category security { null; }; // also ignore uncategorised log messages category unmatched { null; }; };
I've updated the Tor wiki page on BIND with this configuration: https://trac.torproject.org/projects/tor/wiki/doc/BIND
Does anyone know how to work out all the BIND categories that log DNS names? (All of the documentation I found online was helping people log *every* DNS query.)
Or is it safer just to log a few essential categories? (Can anyone recommend any?)
Has anyone checked if the logs on other resolvers (like unbound) have the same issue?
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org