[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] unbound and DNS-over-TLS (dnsmasq configuration for an exit relay (Debian))

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] unbound and DNS-over-TLS (dnsmasq configuration for an exit relay (Debian))
From: Ralph Seichter <m16+tor@xxxxxxxxxxxxxxx>
Date: Mon, 9 Oct 2017 09:32:12 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 09 Oct 2017 03:32:39 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=monksofcool.net; s=bravo; t=1507534338; bh=EAHOfk7DG9jvLuT6+AegHSjSfRhLktgpoTAQXlUMQ1Q=; h=Subject:To:References:From:Message-ID:Date:User-Agent:In-Reply-To: Content-Type:Content-Language; b=p09DpJprViI9CjTEw5L8yhyMqDr950nXt8/8sscJMYKcIIWj52UsCjmMGSKTm1RkV Ck3o68tKr23va8wVU8g1uPLeOOuqwj3yYoGjAbkytHiSvTtGxPvULkFESPgU79y+Ft LVYzb39pRzrzRk0yI+WW6K9UXoDjhTv9vk8Dte5h5hPp7JuPm26U7+5Q77VSrgPUr3 kSnJbqQyEEhUSlJS0up5FaBFL01SWDepBnZWFMKl6di75pVGQQ6/y0baL0H0g0bn3t 66tQ/EUVEGkp8aGJmFUlmc64/IRApzLv4hsTKuD8KzLwObZI2ZJlNGEMXs4Y99J4D1 lYrt2rVvvNUag==
In-reply-to: <20171008210512.ktyfu64xes4kidpl@riseup.net>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <893478694.1218993.1507397950354.JavaMail.zimbra@laposte.net> <e5e7d8d3-caff-0176-b567-0fd6a4f2fa40@monksofcool.net> <20171008210512.ktyfu64xes4kidpl@riseup.net>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0

On 08.10.2017 23:05, Santiago R.R. wrote:

> I would also suggest to use DNS-over-TLS, so (exit) relays could be
> able to encrypt their queries to a privacy-aware DNS resolver [...]

I like SSL for the resulting cost increase in listening to a connection.
However, the Unbound documentation states:

  ssl-upstream: <yes or no> Enabled (sic) or disable whether the
  upstream queries use SSL only for transport. Default is no. Useful
  in tunneling scenarios.

Do you have any data on the percentage of queries that fail with SSL
*only* because upstream nameservers don't support SSL? I imagine the
majority of servers don't support it (my own authoritative nameservers
among them).

Also, manually adding forward-zone entries implies trusting specific
servers beyond the regular root zone servers, which rubs me the wrong
way.

-Ralph

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] unbound and DNS-over-TLS (dnsmasq configuration for an exit relay (Debian))
  - From: Santiago R.R.

References:
- [tor-relays] dnsmasq configuration for an exit relay (Debian)
  - From: jpmvtd261
- Re: [tor-relays] dnsmasq configuration for an exit relay (Debian)
  - From: Ralph Seichter
- [tor-relays] unbound and DNS-over-TLS (dnsmasq configuration for an exit relay (Debian))
  - From: Santiago R.R.

Prev by Author: Re: [tor-relays] dnsmasq configuration for an exit relay (Debian)
Next by Author: Re: [tor-relays] dnsmasq configuration for an exit relay (Debian)
Previous by thread: [tor-relays] unbound and DNS-over-TLS (dnsmasq configuration for an exit relay (Debian))
Next by thread: Re: [tor-relays] unbound and DNS-over-TLS (dnsmasq configuration for an exit relay (Debian))
Index(es):
- Author
- Thread