On 12/20/2015 03:04 PM, spaceman wrote: > Hi, > > Although I cannot say how secure this configuration is but you can run > this kind of setup client side as well. So: > > Bind --> DNSCrypt Proxy --> Tor --> DNSCrypt Compatible Server You can do this, but Tor doesn't support all types of DNS queries. Weasel and velope on #tor-project suggested that I remove DNSCrypt entirely and let Unbound be a recursive resolver against the root DNS servers, which I have now done. This way, I'm not using a third-party DNS server and Unbound is using a large cache and DNSSEC. Although DNSSEC doesn't provide confidentiality for DNS queries, it does provide authentication and integrity checks. Unbound with a large cache and DNSSEC re-enabled is probably superior to Unbound+DNSCrypt without DNSSEC. The point still stands though; you can secure and optimize an exit's DNS using Unbound. -- Jesse V
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays