[tor-relays] unbound and DNS-over-TLS (dnsmasq configuration for an exit relay (Debian))

Santiago R.R. santiagorr at riseup.net
Mon Oct 9 08:16:20 UTC 2017


El 09/10/17 a las 09:32, Ralph Seichter escribió:
> On 08.10.2017 23:05, Santiago R.R. wrote:
> 
> > I would also suggest to use DNS-over-TLS, so (exit) relays could be
> > able to encrypt their queries to a privacy-aware DNS resolver [...]
> 
> I like SSL for the resulting cost increase in listening to a connection.

AFAIU, some recursive implementations already support TCP fast open
(RFC7413) to reduce the cost of opening a connection.
They also pipeline to send multiple queries over a single TCP
connection.

> However, the Unbound documentation states:
> 
>   ssl-upstream: <yes or no> Enabled (sic) or disable whether the
>   upstream queries use SSL only for transport. Default is no. Useful
>   in tunneling scenarios.
> 
> Do you have any data on the percentage of queries that fail with SSL
> *only* because upstream nameservers don't support SSL? I imagine the
> majority of servers don't support it (my own authoritative nameservers
> among them).

No, I don't. And I suppose you're right, the majority of upstream
nameservers don't support it. Related RFCs are quite recent, so it's not
surprising.
My stubby resolver works well, and I don't realize about issues querying
external domains.

> Also, manually adding forward-zone entries implies trusting specific
> servers beyond the regular root zone servers, which rubs me the wrong
> way.

Yes, indeed. I trust the people running the relays I listed.

And there is also DNSSEC, where available.

  -- Santiago


More information about the tor-relays mailing list