On 2014-08-13 18:45, [email protected] wrote:
Hi we are trying to figure out the best way to handle DNS requests to
both clearnet and Tor onionland,
while still having MX lookups working, in order to correctly send
emails to clearnet hosts.
Currently we are using just Tor, configured as transparent proxy and
DNS resolver.
This is nice because all DNS requests are done thru Tor
but MX lookups will fail, and for an email provider service, this is a
show stopper.
Various online resources suggest to use Tor only to resolve onion
addresses
and Unbound for all the rest,
but we are having difficulties in configuring Unbound.
This is Debian 7 (wheezy)
and the configuration we are talking about should be something like
this:
# cat /etc/unbound/unbound.conf
server:
# The following line will configure unbound to perform
cryptographic
# DNSSEC validation using the root trust anchor.
auto-trust-anchor-file: "/var/lib/unbound/root.key"
tcp-upstream: yes
do-udp: no
domain-insecure: "onion"
private-domain: "onion"
do-not-query-localhost: no
forward-zone:
name: "onion"
forward-addr: 127.0.0.1@54
54 is Tor DNS resolver port.
As you see, we are not Unbound experts, and this configuration does not
work.
Can you please supply a minimal Unbound configuration, that accepts
DNS queries only from localhost
and that routes .onion requests to Tor on port 54 ?
Thanks for this great project and wish you great holidays!
RuggedInbox team
Nevermind, fixed.
We found the unbound.conf.example file and worked on that.
When enabling "do-udp: no", unbound stops to work.
Same with "tcp-upstream: yes".
So basically we left everything as is and just enabled:
domain-insecure: "onion"
private-domain: "onion"
do-not-query-localhost: no
and added:
forward-zone:
name: "onion"
forward-addr: 127.0.0.1@54
at the end of the file.
54 is the Tor DNS port.
Now it looks like the server is able to resolve both clearnet and
onionland addresses
and also correctly resolve MX records on the clearnet.
Comments are appreciated, wonder if this is the correct / best way.
Thanks for supporting
RuggedInbox team
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
