[tor-relays] Reminder: exit nodes probably shouldn't be using Google's DNS servers

grarpamp grarpamp at gmail.com
Mon Jan 12 05:32:56 UTC 2015

On Sat, Jan 10, 2015 at 10:58 PM, Richard Johnson <rdump at river.com> wrote:
> It is especially a good idea to have your own local DNS resolver if you run
> Tor exits at an institution that's required to otherwise log DNS queries.
> Tor needs a separate (and non-logging) DNS resolution system to prevent the
> institution from being presumed aware of Tor users' lookups.
> That this also protects Tor users from having their DNS queries logged is
> good as well, but that isn't necessarily the driver for the institution. ;)

Do not presume that pointing dns locally prevents passive monitors
anywhere along your network graph of clearnet hops from seeing your
dns queries there. And ultimately, exit IP can be observed and correlated
from the roots down with increasing difficulty. That said, yes, local is still
better, and often more performant, than pointing to a privacy joke like google.

More information about the tor-relays mailing list