[tor-relays] dnsmasq configuration for an exit relay (Debian)

Igor Mitrofanov igor.n.mitrofanov at gmail.com
Sun Oct 8 17:48:08 UTC 2017


My hosting provider runs no DNS servers and recommends using 8.8.x.x,
so I have to pick something.

On Sun, Oct 8, 2017 at 10:22 AM, Ralph Seichter <m16+tor at monksofcool.net> wrote:
> On 08.10.17 18:34, Igor Mitrofanov wrote:
>
>> Unless configured otherwise, Dnsmasq chooses a server from the list
>> randomly, so the more servers the operator specifies in dnsmasq.conf,
>> the less traffic each server gets.
>
> The "proper" way, meaning the way resulting in the smallest surface for
> behavioural analysis of the node outside the ISP hosting the node, is to
> not manually configure any upstream servers at all for the caching
> resolver running on the Tor node. That way, only upstream servers that
> are actually required to resolve individual queries are contacted.
>
> If the ISP hosting the Tor node has resolvers for their customers, these
> can be used as well, since the ISP sees all outgoing traffic anyway, but
> I can't think of any reason to use third-party resolvers (especially the
> infamous Google 8.8.x.x) beyond the hosting ISP.
>
> The historic notion of "don't contact upstream resolvers directly" from
> a time where traffic was expensive is no longer valid, especially for a
> Tor node where the key goal is to make it harder for third party actors
> to analyse what the node is doing.
>
>> I have not seen any research papers that would indicate that the cost
>> of running a full DNS server on an Exit relay is worthwhile and that
>> it improves anonymity substantially more compared to a lightweight
>> cache resolver.
>
> I don't know what you call "a full DNS server"? A caching resolver
> should, by its nature, contact all upstream nameservers as required,
> including the root zone servers. There is no need for Unbound, BIND or
> similar resolver software to delegate queries only to a manually
> configured and therefore limited list of nameservers. Just let these
> resolvers do their job. From what I see on my nodes, the cost of Unbound
> is negligible, compared to what Tor itself requires.
>
> Unless you can produce research papers that show it is *not* worth
> letting my resolvers contact upstream nameservers as they consider
> necessary, I'll stick to advocating what I wrote above. ;-)
>
> -Ralph
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


More information about the tor-relays mailing list