[tor-relays] Running an exit? Please secure your DNS with DNSCrypt+Unbound

Eran Sandler eran at sandler.co.il
Tue Jan 5 07:48:47 UTC 2016


Found this post about compiling and running DnsCrypt which is rather easy.
https://gist.github.com/kafene/9699074

Just need to grab the newer libsodium and dnscrypt versions.

It also includes an init script.

Eran

On Sun, Dec 27, 2015 at 9:46 AM Jesse V <kernelcorn at riseup.net> wrote:

> On 12/26/2015 10:33 PM, 12xBTM wrote:
> > Also, in your current configuration. You have no unbound forward-zones.
> > Which, to my understanding, is a fatal error if you're using DNSCrypt.
> > Tor interfaces with Unbound on your 127.5.3.53, but how does Unbound
> > know where to forward queries to DNSCrypt-proxy?
>
> Yes, because I'm no longer using DNSCrypt, just Unbound, which queries
> authoritative DNS servers. I'm caching as much as I can but I'm out of
> RAM at this point, so Unbound does have to do some recursions. I'm
> tempted to re-apply DNSCrypt in order to forward queries to another
> server that can do more caching, but I haven't done that yet.
>
> Thanks again to the folks on IRC who correctly pointed out that DNSCrypt
> has the same security model as a VPN: it only protects client-server
> traffic and the server has to be trustworthy. Currently, I'm better to
> use DNSSEC and query against authoritative DNS servers than I am to turn
> off DNSSEC and use Unbound. If I get a second server set up, it will use
> DNSSEC and I'll chain the two Unbound instances together with DNSCrypt.
> That should give me better performance.
>
> I'll look into setting up a fallback nameserver for redundancy as you
> pointed out.
>
> --
> Jesse V
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160105/edae93da/attachment-0001.html>


More information about the tor-relays mailing list