[tor-relays] Don't use Google's DNS server
phw at nymity.ch
Sun May 15 18:37:19 UTC 2016
I created a new diagram that illustrates the popularity of DNS resolvers
used by exit relays. The diagram shows nine autonomous systems that
hosted the most popular resolvers at some point over the last months.
These autonomous systems are owned by Google, INIT7, LeaseWeb, Visual
Online, OVH, OpenDNS, NForce Entertainment, Cyberdyne, and Level3. The
x axis shows time and the y axis shows the fraction of DNS requests that
the respective AS can observe:
The two most popular setups are Google's 220.127.116.11 and local resolvers,
i.e., exit relays doing their own resolution. Occasionally, Google got
to see more than 40% of all DNS requests exiting the Tor network. That
is concerning, particularly given Google's role in the PRISM program.
No other autonomous system is getting even close.
Please refrain from using 18.104.22.168. Instead, set up your own resolver,
or at least use the one provided by your ISP. Here's Peter's quick
guide on how to set up your own resolvers :
On Thu, Jan 08, 2015 at 04:11:09PM +0100, Peter Palfrader wrote:
> o apt-get install unbound
> o remove all nameserver entries in /etc/resolv.conf and add one for the
> local recursor. Either manually or use (untested):
> sed -i -e 's/^nameserver /#&/; $a nameserver 127.0.0.1' /etc/resolv.conf
> o prevent anything else from modifying that file ever again:
> chattr +i /etc/resolv.conf
Note that running your own resolver is not universally safer because the
exposure of DNS requests to network adversaries is greater. It's a
tricky trade-off that we are currently trying to understand better ,
but increased exposure to network-level adversaries seems less bad than
having Google see almost half of all DNS requests.
If you are wondering how I created the above diagram, have a look at the
measurement method .
More information about the tor-relays