[tor-relays] Running Bind locally

Yoriz tor at privshield.com
Tue Sep 10 18:09:36 UTC 2013 

Bright Star, thank you for your elaborate explanation!

On Sep 10, 2013, at 09:45 , Bry8 Star wrote:
> Set your Recursive/caching DNS-Server portion in BIND to listen on
> 127.0.0.1:53, And set your machine's Network adapter's DNS-Server
> settings to use only 127.0.0.1 as your DNS-Server, then all local
> software can use your own DNS-Server, running on 127.0.0.1 ip-address.


That is how I have configured BIND now. I use the registrars' DNS server to resolve my exit nodes' name, so I don't have to expose port 53 publicly.

> Best is to turn off any logging/recording in BIND/unbound dns
> software, unless you are troubleshooting something.

I have logging enabled because I am seeing a lot of these in /var/log/syslog:

Sep  8 22:13:59 tor-exit named[11467]: lame server resolving 'www.example.hk' (in 'example.hk'?): 123.123.123.123#53
Sep  8 22:14:17 tor-exit named[11467]: error (connection refused) resolving 'www.example.com/A/IN': 123.123.123.123#53
Sep  8 22:14:18 tor-exit named[11467]: validating @0x123456789abc: www.example.com A: no valid signature found
Sep  8 22:14:32 tor-exit named[11467]: error (unexpected RCODE REFUSED) resolving 'www.example.de/A/IN': 123.123.123.123#53

Are that many errors to be expected when operating a Tor exit (and thus resolving a lot of unusual domainnames)? Once someone can reassure me this is "normal", I will disable logging.

Moreover, I noticed a lot of wierd upper/lowercase variants, like "wwW.eXAmPLe.CoM". Domainnames are case-insensitive, but the original spelling is forwarded through all resolvers, so this would enable adversaries to do some tracking/tracing if people have misconfigured their Tor client and suffer DNS leakage. May I suggest that Tor converts all domainnames to lowercase before trying to resolve them?

// Yoriz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20130910/856b149d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20130910/856b149d/attachment.sig>

More information about the tor-relays mailing list