On 12/26/2015 10:33 PM, 12xBTM wrote: > Also, in your current configuration. You have no unbound forward-zones. > Which, to my understanding, is a fatal error if you're using DNSCrypt. > Tor interfaces with Unbound on your 127.5.3.53, but how does Unbound > know where to forward queries to DNSCrypt-proxy? Yes, because I'm no longer using DNSCrypt, just Unbound, which queries authoritative DNS servers. I'm caching as much as I can but I'm out of RAM at this point, so Unbound does have to do some recursions. I'm tempted to re-apply DNSCrypt in order to forward queries to another server that can do more caching, but I haven't done that yet. Thanks again to the folks on IRC who correctly pointed out that DNSCrypt has the same security model as a VPN: it only protects client-server traffic and the server has to be trustworthy. Currently, I'm better to use DNSSEC and query against authoritative DNS servers than I am to turn off DNSSEC and use Unbound. If I get a second server set up, it will use DNSSEC and I'll chain the two Unbound instances together with DNSCrypt. That should give me better performance. I'll look into setting up a fallback nameserver for redundancy as you pointed out. -- Jesse V
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays