[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Running an exit? Please secure your DNS with DNSCrypt+Unbound

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Running an exit? Please secure your DNS with DNSCrypt+Unbound
From: spaceman <spaceman@xxxxxxxxxxxxxxxx>
Date: Mon, 21 Dec 2015 00:04:48 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 20 Dec 2015 19:23:41 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=antispaceman.com; s=default; t=1450656400; bh=kd2FJ4WvMOyrP3CqsQh0XhAgiGnyTujh4cD3/GvZc0I=; h=Date:From:To:Subject:References:In-Reply-To; b=U9kLO0v4/eZwqPk0wkZJunVyjGMZ53k7gh4mr9dZQrmkXS229CPM0WmuE0aBYeL6H 4eFFWGF9DsNYTCjvM7erjqBctXn/ZX8yadB5lGUbSIewA8paCJr5pRgAiYVJ41ASwd bUgJnKI42SYhFb5P4prVv/JNb+gWi/6b+2xeHjn6YdCqeN6p2YGSnZ9p0ioTEop6v1 hIw1jgqel4NhxbRD6V0J0Z4BQwEp9nL2rdGoQnA40AOHCfwG9HgLKVkZOpqb/7ld2W XTA+WAYPqOtslZ1b4OfUaZKRvD45kDbbjs2JGE6I+Ozq4Hg6XyhcfkLU7d9WP+e/kk I+qd/qrIElZvg==
In-reply-to: <5675CACE.20800@xxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Mail-followup-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
References: <5675CACE.20800@xxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.23 (2014-03-12)

Hi,

Although I cannot say how secure this configuration is but you can run thiskind of setup client side as well. So:


Bind --> DNSCrypt Proxy --> Tor --> DNSCrypt Compatible Server

The secret here is to force DNSCrypt to run over TCP only which can then beredirected through a Tor TransPort. This allows you to do several types ofqueries that tors own DNS port cannot do (such as SRV for xmpp). Dual stackersbeware as you will default to IPv6 if you use this setup. You will need toblock UDP port 443 as DNSCrypt proxy checks if it is available annoyinglyleaving you exposed.

Again I cannot provide analysis as to whether this is secure as DNSCrypt couldbe sending personally identifiable information without my knowledge as Ihaven't read the source code for DNSCrypt.


Regards,
spaceman

Attachment: pgpKURzXRrTsS.pgp
Description: PGP signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Running an exit? Please secure your DNS with DNSCrypt+Unbound
  - From: Jesse V

References:
- [tor-relays] Running an exit? Please secure your DNS with DNSCrypt+Unbound
  - From: Jesse V

Prev by Author: Re: [tor-relays] Opt-In Trial: Fallback Directory Mirrors
Next by Author: Re: [tor-relays] Running an exit? Please secure your DNS with DNSCrypt+Unbound
Previous by thread: Re: [tor-relays] Running an exit? Please secure your DNS with DNSCrypt+Unbound
Next by thread: Re: [tor-relays] Running an exit? Please secure your DNS with DNSCrypt+Unbound
Index(es):
- Author
- Thread