[tor-relays] dnsmasq configuration for an exit relay (Debian)
Igor Mitrofanov
igor.n.mitrofanov at gmail.com
Sun Oct 8 18:48:57 UTC 2017
Please see the RFC that describes the recursive resolution algorithm:
https://tools.ietf.org/html/rfc1034.
Unbound is a simple recursive resolver. If it does not know the IP, it
has to ask - there is no way around asking. The fact that you do not
know what network links Unbound relies on ("just let it do its magic")
does not make your Exit relay any more secure.
Unbound's upstream requests can be intercepted and used in traffic
correlation just like any other. Yes, Unbound follows the recursive
protocol and works with the hierarchy from the root DNS servers down,
but your ISP can still observe your entire DNS activity. This is very
similar to running dnsmasq configured to work the DNS server hosted by
the ISP (which then performs the recursive functions) - except in my
case there isn't one.
On Sun, Oct 8, 2017 at 10:59 AM, Ralph Seichter <m16+tor at monksofcool.net> wrote:
> On 08.10.17 19:48, Igor Mitrofanov wrote:
>
>> My hosting provider runs no DNS servers and recommends using 8.8.x.x,
>> so I have to pick something.
>
> You don't have to pick, and this is not meant to be patronising. Install
> Unbound with the few lines of configuration I posted earlier in this
> thread, and set your /etc/resolv.conf to "nameserver 127.0.0.1". Unbound
> will contact upstream servers as required. You don't have to configure
> *any* upstream servers manually.
>
> See https://en.wikipedia.org/wiki/Domain_Name_System "Address resolution
> mechanism" for what will happen under the hood.
>
> -Ralph
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
More information about the tor-relays
mailing list