[tor-relays] Local DNS on Exit logs failed user queries
teor
teor2345 at gmail.com
Wed Aug 17 02:23:15 UTC 2016
Hi,
When I set up a Tor Exit, I set up a local resolver (BIND) as a cache.
Today, I was monitoring the syslog, and I noticed that BIND logs DNS names when resolution fails.
(I have since removed these entries from the logs.)
One way to prevent this is to disable logging on BIND entirely:
logging { category default { null; }; };
Another is to isolate the categories that log DNS names, and disable them individually:
logging {
// these categories log DNS names
category dnssec { null; };
category edns-disabled { null; };
category lame-servers { null; };
category resolver { null; };
category security { null; };
// also ignore uncategorised log messages
category unmatched { null; };
};
I've updated the Tor wiki page on BIND with this configuration:
https://trac.torproject.org/projects/tor/wiki/doc/BIND
Does anyone know how to work out all the BIND categories that log DNS names?
(All of the documentation I found online was helping people log *every* DNS query.)
Or is it safer just to log a few essential categories?
(Can anyone recommend any?)
Has anyone checked if the logs on other resolvers (like unbound) have the same issue?
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160817/509721c5/attachment.sig>
More information about the tor-relays
mailing list