TL;DR, if I understand how Tor relays work, Unbound (or any local DNS
server) should see a request for example.com coming from localhost or
127.0.0.1. It answers the request, stores it in cache just in case, rinse
and repeat. The machine running the exit relay is the one that makes the
DNS request, so the only thing you'd get from looking at the DNS cache
would be a "Top 100 Websites This Tor Relay Visits" sort of list.
>From what I could find, a DNS cache contains the hostname and its
associated IP address, nothing more. From what I understand, even if a DNS
cache saved the source of the request, it should save "127.0.0.1" or
"localhost" as the source, since exit nodes are the source of the request,
and simply forward the response back to the client.
I couldn't find anything specific about Unbound, but it seems like there
isn't a proper way to read the DNS cache anyway unless you can somehow
decode the binary file. I suppose if you know the specific cache file, you
could copy it to a different machine with Unbound installed, and possibly
extract data from that, but this theory assumes the cache is saved to the
hard drive, and it's probably only stored in RAM.
On Sun, Oct 16, 2016 at 2:33 PM, Petrusko <petru...@riseup.net> wrote:
> Is there a way to know "who" has made this DNS query by reading the cache ?
> May be you can know there are 30 people have looked for google.com
> during the last 5 minutes, but "who" has made those DNS queries looks
> like difficult ? (I'm not an expert on hacking :p )
> 16/10/2016 21:28, Tristan :
> > Unbound does cache DNS entries, but there was also serious discussion
> > about whether or not the cache is a privacy risk/anonymity leak, but I
> > feel it's worth the trade-off since public DNS servers do the same thing.
> PubKey EBE23AE5
> C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
> tor-relays mailing list
Finding information, passing it along. ～SuperSluether
tor-relays mailing list