[tor-relays] lets stop using central big DNS resolvers (Google, Level3, OpenDNS, Quad9, Cloudflare)

Ralph Seichter m16+tor at monksofcool.net
Fri May 11 12:52:20 UTC 2018

On 11.05.18 13:55, Nathaniel Suchy (Lunorian) wrote:

> My first thought is to use ISP DNS if it’s available - one of the best
> things about Tor is the split of trust so why aren’t we doing that
> with DNS? Another alternative is to use trusted recursive DNSCrypt
> Resolvers (for example dnscrypt.ca - there are plenty of resolvers
> like this so use a search engine of your choice to find them).

Assuming you can install whatever software you like, I recommend running
your own instance of Unbound on your exit node machines. Current Unbound
versions support DNSSEC validation, QNAME minimisation, etc. While using
your ISP's resolvers works as a fallback, a local resolver is better and
easy enough to set up.


More information about the tor-relays mailing list