[tor-relays] Running Bind locally

Bry8 Star bry8star at inventati.org
Tue Sep 10 07:45:03 UTC 2013 

Hi,
If you run your own BIND/named as Authoritative DNS-Server, for some
domain-name that you own, and if it is also configured to function
as a Recursive DNS-Server for local software (in that computer), and
if you have enabled DNSSEC (for recursive side), then that would be
better, imho.

Such, Recursive DNS-Server will be slightly slow as DNS-Server
itself doing query and getting results and responding to clients
when a domain-name is queried for 1st time, but any 2nd time or
later query for same domain-name, will be super fast, as DNS-Server
will use cached/stored dns result to provide response.  And DNSSEC
authenticated results are very very very ACCURATE, comparatively
much much more genuine/original.  DNS-Server's cache will
automatically expire/remove DNS-records, based on expiry time
specified in TTL rdata value in each DNS-record.  If TTL rdata is
not specified, then such DNS-record will remain in cache for longer
time.

Set your Recursive/caching DNS-Server portion in BIND to listen on
127.0.0.1:53, And set your machine's Network adapter's DNS-Server
settings to use only 127.0.0.1 as your DNS-Server, then all local
software can use your own DNS-Server, running on 127.0.0.1 ip-address.

Do not use remote DNS-Servers like Google DNS Servers, as they
LOGs/RECORDs indefinitely.  Using your own DNS-Server (mentioned
above) is better than using any other's DNS-Server.  You can use
Google dns server only when you are using a VM (or physical machine)
when you've configured it's (operating) system to obtain ALL dns
results via going through Tor-network.  Computer which uses
Tor-client or Tor-server software, such machine should not use
Google DNS, but connecting to Google DNS-Servers via Tor-network is
ok, imho.  If you do not use any Tor or any Anonymity related
software, then using Google-DNS directly is somewhat ok, but still
try to avoid, as they do not respect user's Privacy (a fundamental)
rights.

If you must or want to specify remote DNS-Server, then see/find
OpenNIC based DNS Servers, (opennic's website have feature to list
dns-servers located in various areas and can also show result based
on feature), read description, some will show they DO NOT
LOG/RECORD, some will show they support DNSSEC, use such.  You may
also see info on other remote Recursive/Caching DNS-Servers from :
OARC, CZ.NIC, Swiss Privacy Foundation, German Privacy Foundation
e.V., etc. See ref [1].

If you configure your DNS-Server(s) to use TLS/SSL certificate based
encryptions, or DNScrypt, (for connecting with one or set of remote
DNS-Servers), (basically, as long as you are using some type of
encryption for DNS query and result), then someone in the middle
cannot see your open DNS packets, and cannot modify/alter it either.

If you use or will use remote DNS-Servers, then you should use
encrypted connection to DNS-Servers, and you should connect to such
via Tor-network (aka, anonymity supported network).

DNS2SSOCKS, socat, etc various tools can allow a machine to use
remote DNS servers via Tor-network, (Tor network is accessed via
SOCKS5 support/protocol).

"Unbound" (from NLnet Labs), a full DNSSEC supported DNS-Resolver
software, (and also BIND from ISC), can be configured locally, to
connect with DNS2SOCKS, socat, etc tools based tunnel and connect
with remote DNS-Servers by going thru Tor-network.  But your DNS
query and result logs/records will remain in the hand of remote DNS
server operators, unless they declared that they do not Log/Record
and trust-worthy for that matter.  Or alternatively, configure DNS
server or resolver software to function as your OWN full
Recursive/Caching DNS-Server.  Then your own DNS query records/logs
will remain with you.

Best is to turn off any logging/recording in BIND/unbound dns
software, unless you are troubleshooting something.

You must Install and configure your DNS-Server or Resolver software
to run from inside the Chroot/Jail environment.

-- Bright Star.

[1]
https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver/PublicDnsResolvers




Received from Yoriz, on 2013-09-07 11:47 AM:
> My VPS hoster has configured DNS as follows:
> 
>    $ cat /etc/resolv.conf
>    nameserver 8.8.8.8
>    nameserver 8.8.4.4
> 
> I believe these are Google's DNS servers. Unfortunately, they are somehow unreliable (possible rate-limited by Google). My tor logs are filled with:
> 
>    Sep 07 16:37:24.000 [warn] eventdns: All nameservers have failed
>    Sep 07 16:37:25.000 [notice] eventdns: Nameserver 8.8.8.8:53 is back up
>    Sep 07 16:37:35.000 [warn] eventdns: All nameservers have failed
>    Sep 07 16:37:35.000 [notice] eventdns: Nameserver 8.8.4.4:53 is back up
> 
> Are there other free, open DNS services that might be more reliable/less rate-limited?
> 
> Does Tor use the system DNS configuration? In other words, if I would run a local Bind daemon, would my tor exit use it? Is that bad for the safety of the tor user, as the Bind daemon effectively becomes an audit log of all domains visited by tor users?
> 
> // Yoriz
> 
> 
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20130910/485cc5c4/attachment.sig>

More information about the tor-relays mailing list