El 08/10/17 a las 09:17, Ralph Seichter escribió: > On 07.10.17 19:39, [email protected] wrote: > > > It looks like this package could introduce vulnerabilities if not > > handled properly, because it provides more than just local DNS cache. > > Unless you have a particular reason to use "dnsmasq", I strongly suggest > you use "unbound" (https://www.unbound.net) instead. It supports DNSSEC > and is very easy to configure. Here's a config file for a Tor node with > both IPv4 and IPv6 interfaces: > > # /etc/unbound/unbound.conf > server: > interface: 127.0.0.1 > interface: ::1 > root-hints: "/etc/unbound/named.cache" > log-queries: no > verbosity: 0 > > Optional: If your node has multiple IP addresses and you want to use a > specific one (usually one not used for Tor) for outbound connections, > add the line "outgoing-interface: {your-ip-here}" to unbound.conf. > > While "log-queries: no" is the default setting, I always add it anyway, > in case the unbound authors decide to change this in future releases, > however unlikely.
I would also suggest to use DNS-over-TLS, so (exit) relays could be able to encrypt their queries to a privacy-aware DNS resolver, such as those found in: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers server: ssl-upstream: yes forward-zone: name: "." forward-addr: 2001:470:1c:76d::53@853 # dkg - dns.cmrg.net forward-addr: 199.58.81.218@853 # dkg - dns.cmrg.net forward-addr: 2a04:b900:0:100::37@853 # getdnsapi.net forward-addr: 185.49.141.37@853 # getdnsapi.net forward-addr: 2001:913::8@853 # LDN forward-addr: 80.67.188.188@853 # LDN ... Other more privacy-aware option is to use the Stubby DNS privacy daemon, but it is still to experimental: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
