[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] dnsmasq configuration for an exit relay (Debian)



Here's what I personally recommend:

 

1. Make sure that /etc/resolv.conf contains 127.0.0.1 only. Ensure you have no DNS servers specified in /etc/network/interfaces. This will ensure that all DNS traffic will go through dnsmasq.

2. You can start by editing /etc/dnsmasq.conf as follows:

 

# Only listen on loopback

interface=lo

bind-interfaces

 

# DNS servers

no-resolv

no-poll

no-hosts

server=8.8.4.4

server=8.26.56.26

server=74.82.42.42

server=64.6.64.6

server=8.8.8.8

server=8.20.247.20

server=64.6.65.6

 

# Performance

cache-size=10000

dns-forward-max=2048

 

# No DHCP or TFTP

no-dhcp-interface=1

 

3. The value of dns-forward-max is just a rough guess for a high-capacity Exit relay. Please feel free to tune it.

4. Use ss or netstat to make sure that dnsmasq only opens port 53 on the loopback interface (lo, 127.0.0.01) and does not listen on any external network interfaces.

5. If you have iptables configured, please make sure you allow traffic to port 53 from 127.0.0.1.

6. You can find the IP addresses of some public DNS servers here: https://www.lifewire.com/free-and-public-dns-servers-2626062.

7. Consider adding any DNS servers that your ISP may provide (ask them).

8. PLEASE exclude any DNS servers that attempt to censor/filter any web addresses (such as “Comodo Secure DNS”).

9. I recommend picking DNS servers with the lowest ping latency to your Tor relay (i.e. try pinging them manually).

 

Thanks for running a Tor relay!

- Igor

 

-----Original Message-----
From: tor-relays [mailto:tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx] On Behalf Of jpmvtd261@xxxxxxxxxxx
Sent: Saturday, October 7, 2017 10:39 AM
To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-relays] dnsmasq configuration for an exit relay (Debian)

 

Hello,

 

I am looking for instructions on how to configure dnsmasq on a Debian exit relay (in order to cache DNS queries).

 

It looks like this package could introduce vulnerabilities if not handled properly, because it provides more than just local DNS cache.

 

If I had to install it without any advice, I would do this :

 

 

1) Install dnsmaq package with the command  "aptitude install dnsmask" .

 

2) Make sure that the first line of the file /etc/resolv.conf is  "nameserver 127.0.0.1"  (see https://wiki.debian.org/HowTo/dnsmasq#Local_Caching ).

 

3) Make sure that the file /etc/dnsmasq.conf contains the line  "listen-address=127.0.0.1"  (to restrict dnsmasq to the local system).

 

4) Set the cache size to 10000 by adding or editing this line  "cache-size=10000"  in the file /etc/dnsmasq.conf  (as suggested by Igor Mitrofanov here https://lists.torproject.org/pipermail/tor-relays/2017-August/012708.html ).

 

5) Reboot (is it necessary ?).

 

 

Does anyone think that this procedure could start a daemon listening on a port of my server ? Or is it safe to do this on my exit relay ?

 

Regards

_______________________________________________

tor-relays mailing list

tor-relays@xxxxxxxxxxxxxxxxxxxx

https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays