[tor-relays] Running an exit? Please secure your DNS with DNSCrypt+Unbound
Jesse V
kernelcorn at riseup.net
Mon Dec 21 00:39:19 UTC 2015
On 12/20/2015 03:04 PM, spaceman wrote:
> Hi,
>
> Although I cannot say how secure this configuration is but you can run
> this kind of setup client side as well. So:
>
> Bind --> DNSCrypt Proxy --> Tor --> DNSCrypt Compatible Server
You can do this, but Tor doesn't support all types of DNS queries.
Weasel and velope on #tor-project suggested that I remove DNSCrypt
entirely and let Unbound be a recursive resolver against the root DNS
servers, which I have now done. This way, I'm not using a third-party
DNS server and Unbound is using a large cache and DNSSEC. Although
DNSSEC doesn't provide confidentiality for DNS queries, it does provide
authentication and integrity checks. Unbound with a large cache and
DNSSEC re-enabled is probably superior to Unbound+DNSCrypt without
DNSSEC. The point still stands though; you can secure and optimize an
exit's DNS using Unbound.
--
Jesse V
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20151220/36f84fa3/attachment.sig>
More information about the tor-relays
mailing list