[tor-relays] How helpful is it to run your own DNS server?

Fri Mar 16 18:30:46 UTC 2018

On Fri, Mar 16, 2018 at 12:54 PM,  <torix at protonmail.com> wrote:
> I have seen mentions on this list of people using  pi-hole and unbound DNS
> servers in their setups, and I wondered if others had considered opinions as
> to the usefulness of doing this.

https://pi-hole.net/
https://github.com/pi-hole

Pi-hole DNS style is nice where you can't get inside TLS such
as adblockplus does inside the browser, and for filtering
all traffic / apps for entire machines / networks but
it is by nature of DNS not full URI a bit less fine grained.

> Pi-hole's biggest feature seems to be
> their filter lists to block extra/evil DNS queries

One's 'extras/evils' / adverts are another's censorship.
Exits are not supposed to be censors, but enablers instead.
Would you use an exit that arbitrarily censors you, uses
arbitrary subscriptions, or is subject to arbitrary censorship?
Are there so few free and clear providers left?
Are exit bandwidth / circuits / CPU / RAM / latency
really that tight?
Is it your role to "protect" users from your idea of "bad"?
Can users identify and select from everything all
the exits might be doing, who they are, where, etc?

Those and more can all be debated in a new thread
covering philosophy of any network which might offer
exit / vpn / transit style services.

However for the tor network, exits found censoring / filtering / etc
above and beyond what they can do in their tor exit-policy
config are likely to be reported by users / scans as bad-relays,
which could lead to the exit bring dropped from consensus.

> while Unbound seems to
> feature caching and validating functions.

This is of benefit to exits and users.

> I would think that a DNS cache
> that kept queries for a long time

Time is up to the zone authority, not arbitrary downstreams,
which would again be modification / censorship of the internet,
and breaks services as their zone changes and the cache doesn't.

> would certainly keep most of your queries
> out of an ISP's DNS logs.

Logs of their DNS servers, maybe, provided they don't
grab and redirect DNS into them, or record netflow, etc.

Logs of adversaries sniffing the wires, no.

> Or are there DNS providers that are relatively
> immune to their logs being requited by others?

This depends on
- providers actually not keeping logs.
- them letting you audit their claims therein.
- them not being subject to whims of the State.
- them not being hacked by same and other adversaries.

The AND operation upon these conditions
is quite unlikely to be TRUE.
Working to change that would be good.

Running a local caching DNS (unbound etc)
is considered best practice, approaching
universal for large exits due to cache savings
and performance alone.

The additional potential privacy benefit by not
expressly funneling all your users DNS through
yet another third party is even more reason to do so.

Same for whatever censorship / evils that party
might be doing.