[tor-relays] Don't use Google's DNS server

Mon May 16 21:11:42 UTC 2016

Hey,

The package Unbound can be nice ? I'm using it on the LAN...
My Unbound set up is using the root.hints, so I think it's always and
only speaking with those root DNS servers...
But I've read on some tutorials, ISP and others "men-in-the-middle" can
intercept DNS queries, and answer to your server... so this solution
can't be 100% secure, like any DNS solution.
Here, Unbound is set up to speak only with root DNS servers:

apt-get install unbound
cd /etc/unbound

-download the root.hints file:
wget ftp://ftp.internic.net/domain/named.cache -O /etc/unbound/root.hints

-generate TLS keys (dnssec):
unbound-control-setup

-change owner + rights :
chown unbound:root unbound_*
chmod 440 unbound_*

-add the line to use root.hints file:
nano /etc/unbound/unbound.conf

root-hints: "/etc/unbound/root.hints"

-if you want to check your config file:
 unbound-checkconf /etc/unbound/unbound.conf

-verify in the /etc/resolv.conf file (already said, but always check
another time!):
 nameserver 127.0.0.1

I hope this helps, and my configuration is ok?!
And don't know if Unbound is ready for an exit node? (performance) I'm
only using it on some little LAN without any issues.

Le 15/05/2016 20:37, Philipp Winter a écrit :
> I created a new diagram that illustrates the popularity of DNS resolvers
> used by exit relays.  The diagram shows nine autonomous systems that
> hosted the most popular resolvers at some point over the last months.
> These autonomous systems are owned by Google, INIT7, LeaseWeb, Visual
> Online, OVH, OpenDNS, NForce Entertainment, Cyberdyne, and Level3.  The
> x axis shows time and the y axis shows the fraction of DNS requests that
> the respective AS can observe:
> <https://nymity.ch/dns-traffic-correlation/img/exit-resolvers-2015-05.png>
> 
> The two most popular setups are Google's 8.8.8.8 and local resolvers,
> i.e., exit relays doing their own resolution.  Occasionally, Google got
> to see more than 40% of all DNS requests exiting the Tor network.  That
> is concerning, particularly given Google's role in the PRISM program.
> No other autonomous system is getting even close.
> 
> Please refrain from using 8.8.8.8.  Instead, set up your own resolver,
> or at least use the one provided by your ISP.  Here's Peter's quick
> guide on how to set up your own resolvers [1]:
> 
> On Thu, Jan 08, 2015 at 04:11:09PM +0100, Peter Palfrader wrote:
>> o  apt-get install unbound
>> o  remove all nameserver entries in /etc/resolv.conf and add one for the
>>    local recursor.  Either manually or use (untested):
>>      sed -i -e 's/^nameserver /#&/; $a nameserver 127.0.0.1' /etc/resolv.conf
>> o prevent anything else from modifying that file ever again:
>>    chattr +i /etc/resolv.conf
> 
> Note that running your own resolver is not universally safer because the
> exposure of DNS requests to network adversaries is greater.  It's a
> tricky trade-off that we are currently trying to understand better [2],
> but increased exposure to network-level adversaries seems less bad than
> having Google see almost half of all DNS requests.
> 
> If you are wondering how I created the above diagram, have a look at the
> measurement method [3].
> 
> [1] <https://lists.torproject.org/pipermail/tor-relays/2015-January/006147.html>
> [2] <https://nymity.ch/dns-traffic-correlation/>
> [3] <https://lists.torproject.org/pipermail/metrics-team/2016-February/000078.html>
> 
> Cheers,
> Philipp
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 

-- 
Petrusko
PubKey EBE23AE5
C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160516/e80e489c/attachment.sig>