[tor-relays] Reminder: exit nodes probably shouldn't be using Google's DNS servers

Libertas libertas at mykolab.com
Thu Jan 8 16:07:17 UTC 2015

On 01/08/2015 10:04 AM, Nick Mathewson wrote:
> Hi, all!
> While looking into a bug report, I noticed that an exit node was using
> one of Google's well-known public DNS servers for its own DNS server.
> No disrespect to the operators of Google's fine public DNS service,
> but my sense is that using it for a Tor exit node might not be the
> greatest idea for users' privacy, having one DNS provider that gets to
> see so many requests.  It's probably a better idea to have your own
> local cacheing DNS server.
> Would anybody like to share a guide about how to set one of those up
> safely and migrate correctly?
> best wishes,
> --
> Nick
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

I actually just switched to unbound, which is included in the OpenBSD
base system as of the most recent release.

Aside from starting it, all you have to do is add the following to your
/etc/rc.conf.local so that it starts up on boot:


And add 'nameserver' as the first line of your
/etc/resolv.conf.tail (and, for the time being, /etc/resolv.conf - see
the man pages for details). I still have an OpenDNS server and a Google
server listed below it in case something goes wrong with the local one.

Here's Michael Lucas's guide, which includes information on how to test
your DNS server, how to restrict access (although that seems to be
default now), and how to set up DNSSEC in a minute or two:


Ignore his installation instructions. They were written before it was
included in the base system.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20150108/8d65e85d/attachment.sig>

More information about the tor-relays mailing list