[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Let's increase the amount of exit relays doing DNSSEC validation

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Let's increase the amount of exit relays doing DNSSEC validation
From: Ralph Seichter <m16+tor@xxxxxxxxxxxxxxx>
Date: Tue, 10 Apr 2018 21:51:56 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 10 Apr 2018 15:52:17 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=monksofcool.net; s=201802; t=1523389917; bh=d1kbGDhlS2+yHux5+rcrECni1FqGuOFN8F9N3/TUZAk=; h=Subject:To:References:From:Message-ID:Date:User-Agent:In-Reply-To: Content-Type:Content-Language; b=QWhP0n+h6P8AnW4ZPpUpBCdDBCDCoCK669j6SBc8M5rKJsGS8xHDO6ZtRBFu5H85Q 4FI45CzrGV+v1JWlw1mv2wclgeiXrOoy3QHr9Ve+r1vR8+b81VIJE229NRyl1CZAqt HaqE1TPGPtsYmPswDjDI9jcNk1rA61n1R91PdRw+T5FK7eXX5FebETH++Vrbr0sG5o GFZhS8cBRM9z4wxMBIzt8ihZzNW5pgH3lCj1Nurvnl5Q2qU/pUHGEOEULC1/VC+HY/ NNY0pxOB1ut1wGpxA7Se1e4GsaHnLdpbeu7V/2NSXo/ASd+dMi3ruNrvHda/A2aKh4 K/YhvjUKcGFLg==
In-reply-to: <216eda73-895b-c462-5b3e-50e4900c24c0@riseup.net>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <216eda73-895b-c462-5b3e-50e4900c24c0@riseup.net>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0

On 09.04.18 13:10, nusenu wrote:

> I recommend a local caching unbound (https://unbound.net/) DNS
> resolver without using an upstream DNS forwarder.

No forwarders indeed. Additionally, I recommend the following settings
in the unbound.conf of Tor exits:

  # Disable logging.
  log-queries: no
  log-replies: no

  # Sent minimum amount of information to upstream servers to enhance
  # privacy. Only sent minimum required labels of the QNAME and set
  # QTYPE to NS when possible.
  qname-minimisation: yes

  # If yes, Unbound doesn't insert authority/additional sections
  # into response messages when those sections are not required.
  minimal-responses: yes

Logging might be disabled as a default depending on how your Unbound was
built, but I like to make certain.

-Ralph

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] Let's increase the amount of exit relays doing DNSSEC validation
  - From: nusenu

Prev by Author: [tor-relays] Alternative hoster (Re: DigitalOcean bandwidth billing changes)
Next by Author: Re: [tor-relays] DigitalOcean bandwidth billing changes
Previous by thread: [tor-relays] Let's increase the amount of exit relays doing DNSSEC validation
Next by thread: Re: [tor-relays] Let's increase the amount of exit relays doing DNSSEC validation
Index(es):
- Author
- Thread