On Tue, 26 Jul 2011, Anders Sundman wrote:
Indeed, I am trying to set up a sane DNS resolution strategy for tor.
Try this unbound patch, and set unbound to use tcp only in unbound.conf
using
do-udp:no and do-tcp:yes.
I've tried your patch (using yes/yes as suggested in a later mail). It
seems to be working just fine. Unbound is resolving all types over tcp
through tor, with and without dnssec. Perfect!
Excellent.
I'm tempted to drop ttdnsd. It has served me well (thanks Jake), but
it's always nice to get rid of complexity. But, before doing so I have
to ponder what it's implications will be on anonymity. It's not obvious
to me that using unbound tcp over tor is any more or less anonymous than
using the tor resolution.
That might be a discussion best suited for another (tor) mailing list
though.
Note that unbound's behaviour can be easilly changed using its python
module. For instance, TTLs could be changed randomly or capped, to
improve anonymity. But indeed, take it up with the tor people.
The easiest integration would be to configure unbound with a forwarder for
127.0.0.1 XXX where XXX would lead into a tor virtual circuit to google's
8.8.8.8 open resolver (that supports dnssec). tor could frequently change
the exit node without unbound needing to know its routing changed.
Wouter: could the patch be stuck into a configurable option? :)
Paul
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
