[tor-relays] unbound and DNS-over-TLS (dnsmasq configuration for an exit relay (Debian))
Ralph Seichter
m16+tor at monksofcool.net
Mon Oct 9 07:32:12 UTC 2017
On 08.10.2017 23:05, Santiago R.R. wrote:
> I would also suggest to use DNS-over-TLS, so (exit) relays could be
> able to encrypt their queries to a privacy-aware DNS resolver [...]
I like SSL for the resulting cost increase in listening to a connection.
However, the Unbound documentation states:
ssl-upstream: <yes or no> Enabled (sic) or disable whether the
upstream queries use SSL only for transport. Default is no. Useful
in tunneling scenarios.
Do you have any data on the percentage of queries that fail with SSL
*only* because upstream nameservers don't support SSL? I imagine the
majority of servers don't support it (my own authoritative nameservers
among them).
Also, manually adding forward-zone entries implies trusting specific
servers beyond the regular root zone servers, which rubs me the wrong
way.
-Ralph
More information about the tor-relays
mailing list