Hi,
When I set up a Tor Exit, I set up a local resolver (BIND) as a cache.
Today, I was monitoring the syslog, and I noticed that BIND logs DNS names when resolution fails.
(I have since removed these entries from the logs.)
One way to prevent this is to disable logging on BIND entirely:
logging { category default { null; }; };
Another is to isolate the categories that log DNS names, and disable them individually:
logging {
// these categories log DNS names
category dnssec { null; };
category edns-disabled { null; };
category lame-servers { null; };
category resolver { null; };
category security { null; };
// also ignore uncategorised log messages
category unmatched { null; };
};
I've updated the Tor wiki page on BIND with this configuration:
https://trac.torproject.org/projects/tor/wiki/doc/BIND
Does anyone know how to work out all the BIND categories that log DNS names?
(All of the documentation I found online was helping people log *every* DNS query.)
Or is it safer just to log a few essential categories?
(Can anyone recommend any?)
Has anyone checked if the logs on other resolvers (like unbound) have the same issue?
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays