[tor-relays] dnsmasq configuration for an exit relay (Debian)

Sun Oct 8 03:41:19 UTC 2017

Here's what I personally recommend: 

1. Make sure that /etc/resolv.conf contains 127.0.0.1 only. Ensure you have no DNS servers specified in /etc/network/interfaces. This will ensure that all DNS traffic will go through dnsmasq.

2. You can start by editing /etc/dnsmasq.conf as follows:

# Only listen on loopback

interface=lo

bind-interfaces

# DNS servers

no-resolv

no-poll

no-hosts

server=8.8.4.4

server=8.26.56.26

server=74.82.42.42

server=64.6.64.6

server=8.8.8.8

server=8.20.247.20

server=64.6.65.6

# Performance

cache-size=10000

dns-forward-max=2048

# No DHCP or TFTP

no-dhcp-interface=1

3. The value of dns-forward-max is just a rough guess for a high-capacity Exit relay. Please feel free to tune it.

4. Use ss or netstat to make sure that dnsmasq only opens port 53 on the loopback interface (lo, 127.0.0.01) and does not listen on any external network interfaces.

5. If you have iptables configured, please make sure you allow traffic to port 53 from 127.0.0.1.

6. You can find the IP addresses of some public DNS servers here: https://www.lifewire.com/free-and-public-dns-servers-2626062.

7. Consider adding any DNS servers that your ISP may provide (ask them).

8. PLEASE exclude any DNS servers that attempt to censor/filter any web addresses (such as “Comodo Secure DNS”).

9. I recommend picking DNS servers with the lowest ping latency to your Tor relay (i.e. try pinging them manually).

Thanks for running a Tor relay!

- Igor

-----Original Message-----
From: tor-relays [mailto:tor-relays-bounces at lists.torproject.org] On Behalf Of jpmvtd261 at laposte.net
Sent: Saturday, October 7, 2017 10:39 AM
To: tor-relays at lists.torproject.org
Subject: [tor-relays] dnsmasq configuration for an exit relay (Debian)

Hello,

I am looking for instructions on how to configure dnsmasq on a Debian exit relay (in order to cache DNS queries).

It looks like this package could introduce vulnerabilities if not handled properly, because it provides more than just local DNS cache.

If I had to install it without any advice, I would do this :

1) Install dnsmaq package with the command  "aptitude install dnsmask" .

2) Make sure that the first line of the file /etc/resolv.conf is  "nameserver 127.0.0.1"  (see  <https://wiki.debian.org/HowTo/dnsmasq#Local_Caching> https://wiki.debian.org/HowTo/dnsmasq#Local_Caching ).

3) Make sure that the file /etc/dnsmasq.conf contains the line  "listen-address=127.0.0.1"  (to restrict dnsmasq to the local system).

4) Set the cache size to 10000 by adding or editing this line  "cache-size=10000"  in the file /etc/dnsmasq.conf  (as suggested by Igor Mitrofanov here  <https://lists.torproject.org/pipermail/tor-relays/2017-August/012708.html> https://lists.torproject.org/pipermail/tor-relays/2017-August/012708.html ).

5) Reboot (is it necessary ?).

Does anyone think that this procedure could start a daemon listening on a port of my server ? Or is it safe to do this on my exit relay ?

Regards

_______________________________________________

tor-relays mailing list

 <mailto:tor-relays at lists.torproject.org> tor-relays at lists.torproject.org

 <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20171007/c88d7a76/attachment.html>