On 10/16/2016 04:54 PM, Petrusko wrote: > Thx for this share. > > But I'm not sure how Unbound is "speaking" with the roots DNS servers... > Somewhere I've read that DNS queries can be forwarded by a "man in the > middle", and the server operator can't be sure about this :s > An ISP is able to do it with your "private server" hosted behind your > ISP's router... > > I see DNSsec to crypt DNS queries from a client to a server, but for > sure it's not possible to use it with roots DNS servers... My VPS host uses 8.8.8.8 for DNS by default. I think it's configured in their DHCP settings or something because 8.8.8.8 will end up in /etc/resolv.conf every time the VPS restarts. Consequently, I have to keep an eye on /etc/resolv.conf to ensure that it always points to my Unbound instance. I take immediate action if this is not the case. The dnscrypt repository on Github has a list of public DNS servers. I point my Unbound instance at one of them and I give Unbound as much RAM as I can to ensure that it caches as much as possible. In this way, I can reduce the frequency of lookups to external server. I have had limited success with DNSSEC. I eventually had to disable it because too many requests were failing (including torproject.org) and I was not able to correct the issue. DNSCrypt works just fine though if you can find a server that supports it. -- Jesse
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays