[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] DNS Server

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] DNS Server
From: dns1983@xxxxxxxxxx
Date: Wed, 23 Jan 2019 11:23:50 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 23 Jan 2019 05:24:07 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1548239033; bh=31wG92DXPR8ycBUM+0MJkAOd+waDmshOWDh75i/O1TE=; h=Subject:To:References:From:Date:In-Reply-To:From; b=BmMcG0MR0vH/NMkJcojR61BC3G+BmI29jUZvyR8mjBGo445HmaVwMKEH0i7srl49j 5d/KDQ9V7/ovcMR/Rs4ZuRU5205LOUJ3rcT6Qv2sXiubvKbfNQFpYscd3udPw36z1e xLtmFTYW2hkfcvHeFL5knL1tq1Ctqwvftd7oqM5g=
In-reply-to: <35a68df1-2fb6-f88a-8068-2e9c5abd97e0@riseup.net>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <588D8D4B-98D5-4ABE-BC39-0A9440D9CF4D@riseup.net> <00475F5A-D388-40C3-9D67-DEC5A00FEA5F@riseup.net> <CAHZ_Ajv6+HNLFC_BQO6iB7ikiyTvELXBbbJKPnmfF5Xgvjo0mQ@mail.gmail.com> <e23a924b-2314-0d0c-eaf9-5004f49c6a79@riseup.net> <35a68df1-2fb6-f88a-8068-2e9c5abd97e0@riseup.net>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Of course. But, as far as I know, you can host multiple domains to thesame ip. So, in such case, if you only know the ip you can't tell whatdomain I visit.

It's just that I don't understand why the public dns providers claim toimprove privacy.


Il 23/01/19 09:01, Rose ha scritto:

adversaries can already see what IP addresses you are connecting to,
even though they can't see your DNS queries, they can easily just do a
reverse DNS on the IP addresses you connect to, to find out what you
were doing.

On 23/01/19 2:32 PM, dns1983@xxxxxxxxxx wrote:

In the threat model that I worry about, DNS are part of the problem. If
a malicious entity can put together DNS data with other big data, It can
increases its power and becomes a more dangerous threat.

But as I said, I lack many networking notions.

Anyway I find very satisfying the solutions you proposed to me. Thank
you very much.

Cheers

Ale

Il 23/01/19 00:42, eric gisse ha scritto:

This is what I do:

My tor exit node runs on its own, but I have a full caching bind
server on a different VM. This services some domains I run, with ACLs
to do regular DNS.

I use the following DNS servers:

2606:4700:4700::1111 -- Cloudflare
2001:1608:10:25::1c04:b12f -- https://dns.watch/
2600::1 -- Sprint

No individual DNS provider inspires me with amazing confidence,
however the caching server turns my bind instance into a pretty
solidly constructed one.

1) I don't really think v6 snooping/monitoring is "there yet". Thin
gruel, but still.
2) DNS doesn't go out the same stack in the case of v4 requests and
doesn't go out the same ip for v6. Sure, you can associate to within
the same /64 but that's just more effort any attacker would have to
do.
3) I cache a LOT.

Check out these nameserver cache statistics:

services /var/log/named # grep -i cache stats
++ Cache Statistics ++
[View: internal (Cache: internal)]
            251588520 cache hits
               452018 cache misses
             50306019 cache hits (from query)
             63441802 cache misses (from query)

I cache a LOT.

Think of your threat model - what are you worried about? Is DNS really
your concern?

On Tue, Jan 22, 2019 at 2:53 AM <dns1983@xxxxxxxxxx> wrote:

Hello,

i'm a student, so I lack many networking notions.

Which are the most privacy reliable public dns servers? I don't exactly know how choose a third part DNS server. I read that cloudfare servers are audited by third parties but I'm not sure that I can trust. do you think that audition is trustworthy?

Thanks
--
Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità._______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] DNS Server
  - From: Dmitrii Tcvetkov

References:
- [tor-relays] DNS Server
  - From: dns1983
- Re: [tor-relays] DNS Server
  - From: eric gisse
- Re: [tor-relays] DNS Server
  - From: dns1983
- Re: [tor-relays] DNS Server
  - From: Rose

Prev by Author: Re: [tor-relays] DNS Server
Next by Author: [tor-relays] New exit relay help
Previous by thread: Re: [tor-relays] DNS Server
Next by thread: Re: [tor-relays] DNS Server
Index(es):
- Author
- Thread