[tor-relays] Why do 40% of Tor exits uses 8.8.8.8 for DNS resolving ?
Jesse V
kernelcorn at torproject.org
Mon Oct 17 02:37:55 UTC 2016
On 10/16/2016 04:54 PM, Petrusko wrote:
> Thx for this share.
>
> But I'm not sure how Unbound is "speaking" with the roots DNS servers...
> Somewhere I've read that DNS queries can be forwarded by a "man in the
> middle", and the server operator can't be sure about this :s
> An ISP is able to do it with your "private server" hosted behind your
> ISP's router...
>
> I see DNSsec to crypt DNS queries from a client to a server, but for
> sure it's not possible to use it with roots DNS servers...
My VPS host uses 8.8.8.8 for DNS by default. I think it's configured in
their DHCP settings or something because 8.8.8.8 will end up in
/etc/resolv.conf every time the VPS restarts. Consequently, I have to
keep an eye on /etc/resolv.conf to ensure that it always points to my
Unbound instance. I take immediate action if this is not the case.
The dnscrypt repository on Github has a list of public DNS servers. I
point my Unbound instance at one of them and I give Unbound as much RAM
as I can to ensure that it caches as much as possible. In this way, I
can reduce the frequency of lookups to external server. I have had
limited success with DNSSEC. I eventually had to disable it because too
many requests were failing (including torproject.org) and I was not able
to correct the issue. DNSCrypt works just fine though if you can find a
server that supports it.
--
Jesse
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 691 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161016/ce5aa8dd/attachment.sig>
More information about the tor-relays
mailing list