[tor-relays] unbound and DNS-over-TLS (dnsmasq configuration for an exit relay (Debian))
Santiago R.R.
santiagorr at riseup.net
Sun Oct 8 21:05:12 UTC 2017
El 08/10/17 a las 09:17, Ralph Seichter escribió:
> On 07.10.17 19:39, jpmvtd261 at laposte.net wrote:
>
> > It looks like this package could introduce vulnerabilities if not
> > handled properly, because it provides more than just local DNS cache.
>
> Unless you have a particular reason to use "dnsmasq", I strongly suggest
> you use "unbound" (https://www.unbound.net) instead. It supports DNSSEC
> and is very easy to configure. Here's a config file for a Tor node with
> both IPv4 and IPv6 interfaces:
>
> # /etc/unbound/unbound.conf
> server:
> interface: 127.0.0.1
> interface: ::1
> root-hints: "/etc/unbound/named.cache"
> log-queries: no
> verbosity: 0
>
> Optional: If your node has multiple IP addresses and you want to use a
> specific one (usually one not used for Tor) for outbound connections,
> add the line "outgoing-interface: {your-ip-here}" to unbound.conf.
>
> While "log-queries: no" is the default setting, I always add it anyway,
> in case the unbound authors decide to change this in future releases,
> however unlikely.
I would also suggest to use DNS-over-TLS, so (exit) relays could be able
to encrypt their queries to a privacy-aware DNS resolver, such as those
found in:
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
server:
ssl-upstream: yes
forward-zone:
name: "."
forward-addr: 2001:470:1c:76d::53 at 853 # dkg - dns.cmrg.net
forward-addr: 199.58.81.218 at 853 # dkg - dns.cmrg.net
forward-addr: 2a04:b900:0:100::37 at 853 # getdnsapi.net
forward-addr: 185.49.141.37 at 853 # getdnsapi.net
forward-addr: 2001:913::8 at 853 # LDN
forward-addr: 80.67.188.188 at 853 # LDN
...
Other more privacy-aware option is to use the Stubby DNS privacy daemon,
but it is still to experimental:
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby
More information about the tor-relays
mailing list