[tor-relays] HOW-TO: Simple DNS resolver for tor exit operators
Scott Bennett
bennett at sdf.org
Wed Sep 13 00:25:34 UTC 2017
Ralph Seichter <m16+tor at monksofcool.net> wrote:
> On 12.09.17 23:43, Roman Mamedov wrote:
>
> > > I take it you're being ironic?
> >
> > Guess I failed at doing that well, if you had to clarify. (Or maybe
> > you didn't read my entire message.)
>
> I did read it. Just the pitfalls of non-verbal communication, and I'm
> also not a native English speaker. ;-)
>
> > Running your own authoritative nameservers is laudable as well, but the
> > current discussion is about recursive resolvers. You know, the likes of
> > 8.8.8.8 and the ones your ISP runs for their clients "to reduce traffic".
>
> If you read *my* messages in this thread, you'll find that I am fully
> aware of this. I even mentioned Google's infamous resolver by IP. :-)
> I came across one ISP so far which does not provide resolvers for their
> customers but points resolv.conf to Google's servers. Not good.
>
> > Note that 'dnsmasq' won't do, that's just a caching proxy to a fixed
> > set of a few upstream DNS resolvers; you need 'unbound' which IS a full
> > independent DNS resolver itself.
>
> Yeah, I use Unbound and BIND myself, with the former of course being
> much more frugal in terms of resource requirements. Easy to set up, too.
>
I'd like to add a note here for FreeBSD users. In addition to unbound
or any of the other resolvers available in the ports tree, DNS queries for
name-to-address resolution can be further reduced by a small caching utility
that is in the base system, called nscd(8). Check the man pages for
nscd.conf(5) and nsswitch.conf(5) to see how easily you can configure its use.
nscd can also cache other, non-DNS queries' results as well (e.g., NIS).
After setting up nsswitch.conf and nscd.conf (just a few lines each), remember
to add a line that says, "nscd_enable=YES", to /etc/rc.conf and then (as root)
give the following command.
# service nscd start
Note that the rc.conf entry will take care of starting nscd(8) after a reboot.
The command shown above is only necessary when starting nscd at other times.
nscd's caching service gets inserted between the resolver(3) and its queries
of local DNS caches or distant name servers, and it is quite fast, but it
serves only the machine it runs on. Further, it maintains per-user caches for
each type of data. Any user can flush his cache of one type of data or all
types of data. root also has the option of flushing all of the per-user
caches by type of data or all types of data.
Here is an example of an nscd configuration (nscd.conf).
threads 4
enable-cache passwd yes
# enable-cache group yes
enable-cache hosts yes
enable-cache services yes
enable-cache protocols yes
enable-cache rpc yes
enable-cache networks yes
suggested-size hosts 2111
keep-hot-count hosts 4096
positive-policy hosts lfu
suggested-size services 1123
And here is nsswitch.conf to go with the above.
group: files
group_compat: nis
hosts: cache files dns
networks: cache files
passwd: cache files
passwd_compat: nis
shells: cache files
services: compat
services_compat: nis
protocols: cache files
rpc: cache files
Note that the only lines in each that pertain to the current discussion
are the lines that refer to hosts. The rest are for caches of other data.
As you can see, configuring this high-speed, local-service-only caching
daemon is trivially easy and brief and requires installation of *no* other
software. It can be used with or without a caching name server or other
caching resolver software.
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at sdf.org *xor* bennett at freeshell.org *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************
More information about the tor-relays
mailing list