[tor-relays] DNS-over-TLS and DNSPrivacy.org (was: lets stop using central big DNS resolvers (Google, Level3, OpenDNS, Quad9, Cloudflare))
Santiago R.R.
santiagorr at riseup.net
Fri May 18 08:28:43 UTC 2018
El 11/05/18 a las 14:52, Ralph Seichter escribió:
> On 11.05.18 13:55, Nathaniel Suchy (Lunorian) wrote:
>
> > My first thought is to use ISP DNS if it’s available - one of the best
> > things about Tor is the split of trust so why aren’t we doing that
> > with DNS? Another alternative is to use trusted recursive DNSCrypt
> > Resolvers (for example dnscrypt.ca - there are plenty of resolvers
> > like this so use a search engine of your choice to find them).
>
> Assuming you can install whatever software you like, I recommend running
> your own instance of Unbound on your exit node machines. Current Unbound
> versions support DNSSEC validation, QNAME minimisation, etc. While using
> your ISP's resolvers works as a fallback, a local resolver is better and
> easy enough to set up.
The inconvenient with running a "standard" local resolver from the
exit relays is the queries are forwarded in clear. So ISP and others
could inspect them.
I think I already mentioned about DNS-over-TLS in this list, so sorry for
duplicating a message, but I think it is a good alternative to encrypt the
queries, even if that means relying on third parties (that can be
different to Quad9, Cloudflare, etc.) as resolvers.
I think https://dnsprivacy.org material worth a reading. The project
also provides a list of several test resolvers available. Some of them
do not log or censor traffic:
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
Disclaimer: I am part of the team who runs one of the no-logging test
servers.
And of course, anyone can run a privacy-aware DNS resolver in a
different machine, to be used to forward the queries from the relays
from a privacy-aware stub resolver, such as stubby.
cheers,
Santiago
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180518/f561d730/attachment.sig>
More information about the tor-relays
mailing list