El 11/05/18 a las 14:52, Ralph Seichter escribió:
On 11.05.18 13:55, Nathaniel Suchy (Lunorian) wrote:
My first thought is to use ISP DNS if it’s available - one of the best things about Tor is the split of trust so why aren’t we doing that with DNS? Another alternative is to use trusted recursive DNSCrypt Resolvers (for example dnscrypt.ca - there are plenty of resolvers like this so use a search engine of your choice to find them).
Assuming you can install whatever software you like, I recommend running your own instance of Unbound on your exit node machines. Current Unbound versions support DNSSEC validation, QNAME minimisation, etc. While using your ISP's resolvers works as a fallback, a local resolver is better and easy enough to set up.
The inconvenient with running a "standard" local resolver from the exit relays is the queries are forwarded in clear. So ISP and others could inspect them.
I think I already mentioned about DNS-over-TLS in this list, so sorry for duplicating a message, but I think it is a good alternative to encrypt the queries, even if that means relying on third parties (that can be different to Quad9, Cloudflare, etc.) as resolvers.
I think https://dnsprivacy.org material worth a reading. The project also provides a list of several test resolvers available. Some of them do not log or censor traffic: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
Disclaimer: I am part of the team who runs one of the no-logging test servers.
And of course, anyone can run a privacy-aware DNS resolver in a different machine, to be used to forward the queries from the relays from a privacy-aware stub resolver, such as stubby.
cheers,
Santiago