[tor-relays] HOW-TO: Simple DNS resolver for tor exit operators

Igor Mitrofanov igor.n.mitrofanov at gmail.com
Wed Sep 13 03:13:59 UTC 2017 

If it's important enough to do on a single relay, it's important
enough to do it across the entire network. I bet there are, and will
always be, plenty of exit node operators not reading this email list,
or not planning to do anything, or not configuring everything
properly, etc.

On Tue, Sep 12, 2017 at 5:25 PM, Scott Bennett <bennett at sdf.org> wrote:
> Ralph Seichter <m16+tor at monksofcool.net> wrote:
>
>> On 12.09.17 23:43, Roman Mamedov wrote:
>>
>> > > I take it you're being ironic?
>> >
>> > Guess I failed at doing that well, if you had to clarify. (Or maybe
>> > you didn't read my entire message.)
>>
>> I did read it. Just the pitfalls of non-verbal communication, and I'm
>> also not a native English speaker. ;-)
>>
>> > Running your own authoritative nameservers is laudable as well, but the
>> > current discussion is about recursive resolvers. You know, the likes of
>> > 8.8.8.8 and the ones your ISP runs for their clients "to reduce traffic".
>>
>> If you read *my* messages in this thread, you'll find that I am fully
>> aware of this. I even mentioned Google's infamous resolver by IP. :-)
>> I came across one ISP so far which does not provide resolvers for their
>> customers but points resolv.conf to Google's servers. Not good.
>>
>> > Note that 'dnsmasq' won't do, that's just a caching proxy to a fixed
>> > set of a few upstream DNS resolvers; you need 'unbound' which IS a full
>> > independent DNS resolver itself.
>>
>> Yeah, I use Unbound and BIND myself, with the former of course being
>> much more frugal in terms of resource requirements. Easy to set up, too.
>>
>      I'd like to add a note here for FreeBSD users.  In addition to unbound
> or any of the other resolvers available in the ports tree, DNS queries for
> name-to-address resolution can be further reduced by a small caching utility
> that is in the base system, called nscd(8).  Check the man pages for
> nscd.conf(5) and nsswitch.conf(5) to see how easily you can configure its use.
> nscd can also cache other, non-DNS queries' results as well (e.g., NIS).
> After setting up nsswitch.conf and nscd.conf (just a few lines each), remember
> to add a line that says, "nscd_enable=YES", to /etc/rc.conf and then (as root)
> give the following command.
>
> # service nscd start
>
> Note that the rc.conf entry will take care of starting nscd(8) after a reboot.
> The command shown above is only necessary when starting nscd at other times.
> nscd's caching service gets inserted between the resolver(3) and its queries
> of local DNS caches or distant name servers, and it is quite fast, but it
> serves only the machine it runs on.  Further, it maintains per-user caches for
> each type of data.  Any user can flush his cache of one type of data or all
> types of data.  root also has the option of flushing all of the per-user
> caches by type of data or all types of data.
>      Here is an example of an nscd configuration (nscd.conf).
>
> threads 4
> enable-cache passwd yes
> # enable-cache group yes
> enable-cache hosts yes
> enable-cache services yes
> enable-cache protocols yes
> enable-cache rpc yes
> enable-cache networks yes
> suggested-size hosts 2111
> keep-hot-count hosts 4096
> positive-policy hosts lfu
> suggested-size services 1123
>
> And here is nsswitch.conf to go with the above.
>
> group: files
> group_compat: nis
> hosts: cache files dns
> networks: cache files
> passwd: cache files
> passwd_compat: nis
> shells: cache files
> services: compat
> services_compat: nis
> protocols: cache files
> rpc: cache files
>
> Note that the only lines in each that pertain to the current discussion
> are the lines that refer to hosts.  The rest are for caches of other data.
> As you can see, configuring this high-speed, local-service-only caching
> daemon is trivially easy and brief and requires installation of *no* other
> software.  It can be used with or without a caching name server or other
> caching resolver software.
>
>                                   Scott Bennett, Comm. ASMELG, CFIAG
> **********************************************************************
> * Internet:   bennett at sdf.org   *xor*   bennett at freeshell.org  *
> *--------------------------------------------------------------------*
> * "A well regulated and disciplined militia, is at all times a good  *
> * objection to the introduction of that bane of all free governments *
> * -- a standing army."                                               *
> *    -- Gov. John Hancock, New York Journal, 28 January 1790         *
> **********************************************************************
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

More information about the tor-relays mailing list