[tor-relays] Running an exit? Please secure your DNS with DNSCrypt+Unbound

[Jesse V]

On 12/26/2015 10:33 PM, 12xBTM wrote:
> Also, in your current configuration. You have no unbound forward-zones.
> Which, to my understanding, is a fatal error if you're using DNSCrypt.
> Tor interfaces with Unbound on your 127.5.3.53, but how does Unbound
> know where to forward queries to DNSCrypt-proxy?

Yes, because I'm no longer using DNSCrypt, just Unbound, which queries
authoritative DNS servers. I'm caching as much as I can but I'm out of
RAM at this point, so Unbound does have to do some recursions. I'm
tempted to re-apply DNSCrypt in order to forward queries to another
server that can do more caching, but I haven't done that yet.

Thanks again to the folks on IRC who correctly pointed out that DNSCrypt
has the same security model as a VPN: it only protects client-server
traffic and the server has to be trustworthy. Currently, I'm better to
use DNSSEC and query against authoritative DNS servers than I am to turn
off DNSSEC and use Unbound. If I get a second server set up, it will use
DNSSEC and I'll chain the two Unbound instances together with DNSCrypt.
That should give me better performance.

I'll look into setting up a fallback nameserver for redundancy as you
pointed out.

-- 
Jesse V

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20151226/5d84f278/attachment.sig>