[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] dnsmasq configuration for an exit relay (Debian)



On 07.10.17 19:39, jpmvtd261@xxxxxxxxxxx wrote:

> It looks like this package could introduce vulnerabilities if not
> handled properly, because it provides more than just local DNS cache.

Unless you have a particular reason to use "dnsmasq", I strongly suggest
you use "unbound" (https://www.unbound.net) instead. It supports DNSSEC
and is very easy to configure. Here's a config file for a Tor node with
both IPv4 and IPv6 interfaces:

  # /etc/unbound/unbound.conf
  server:
    interface: 127.0.0.1
    interface: ::1
    root-hints: "/etc/unbound/named.cache"
    log-queries: no
    verbosity: 0

Optional: If your node has multiple IP addresses and you want to use a
specific one (usually one not used for Tor) for outbound connections,
add the line "outgoing-interface: {your-ip-here}" to unbound.conf.

While "log-queries: no" is the default setting, I always add it anyway,
in case the unbound authors decide to change this in future releases,
however unlikely.

-Ralph
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays