On 10/16/2016 04:54 PM, Petrusko wrote:
> Thx for this share.
> But I'm not sure how Unbound is "speaking" with the roots DNS servers...
> Somewhere I've read that DNS queries can be forwarded by a "man in the
> middle", and the server operator can't be sure about this :s
> An ISP is able to do it with your "private server" hosted behind your
> ISP's router...
> I see DNSsec to crypt DNS queries from a client to a server, but for
> sure it's not possible to use it with roots DNS servers...

My VPS host uses for DNS by default. I think it's configured in
their DHCP settings or something because will end up in
/etc/resolv.conf every time the VPS restarts. Consequently, I have to
keep an eye on /etc/resolv.conf to ensure that it always points to my
Unbound instance. I take immediate action if this is not the case.

The dnscrypt repository on Github has a list of public DNS servers. I
point my Unbound instance at one of them and I give Unbound as much RAM
as I can to ensure that it caches as much as possible. In this way, I
can reduce the frequency of lookups to external server. I have had
limited success with DNSSEC. I eventually had to disable it because too
many requests were failing (including torproject.org) and I was not able
to correct the issue. DNSCrypt works just fine though if you can find a
server that supports it.


Attachment: signature.asc
Description: OpenPGP digital signature

tor-relays mailing list

Reply via email to