[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] DNS-over-TLS and DNSPrivacy.org (was: lets stop using central big DNS resolvers (Google, Level3, OpenDNS, Quad9, Cloudflare))

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-relays] DNS-over-TLS and DNSPrivacy.org (was: lets stop using central big DNS resolvers (Google, Level3, OpenDNS, Quad9, Cloudflare))
From: "Santiago R.R." <santiagorr@xxxxxxxxxx>
Date: Fri, 18 May 2018 10:28:43 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 18 May 2018 04:29:01 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1526632126; bh=jVXzsExvHnkYze4rde4NmF4LzRUJAFQZuaP2PsAmU7I=; h=Date:From:To:Subject:References:In-Reply-To:From; b=PS1+tM1r1r0z2iz4MV5swy6h2YmL5TPAPTQ+V8t5koDTkda6IIO+IxrnfBE3VyCXl pQ6sswNR3lrHajhsE3UDSByxgVyiN40CA/e3u1k8Dxpo5NyhKTfUCQBBfEOaODM9Vr kdcEfageWocc1H8HcluWGW8j6BhF7OIxL1Q0DAuM=
In-reply-to: <db7014f9-de8b-e057-b245-7b7e33a0b416@monksofcool.net>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <5e7d99ef-9514-cee4-985f-7f1d4a21dfec@riseup.net> <a518aa08-871d-afaf-819f-6e4bee01fb20@enn.lu> <57c450a9-90f4-ac97-4eca-f414df642c0d@riseup.net> <A79DAC1C-64AD-444C-851D-805350A5199B@lunorian.is> <db7014f9-de8b-e057-b245-7b7e33a0b416@monksofcool.net>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

El 11/05/18 a las 14:52, Ralph Seichter escribió:
> On 11.05.18 13:55, Nathaniel Suchy (Lunorian) wrote:
> 
> > My first thought is to use ISP DNS if it’s available - one of the best
> > things about Tor is the split of trust so why aren’t we doing that
> > with DNS? Another alternative is to use trusted recursive DNSCrypt
> > Resolvers (for example dnscrypt.ca - there are plenty of resolvers
> > like this so use a search engine of your choice to find them).
> 
> Assuming you can install whatever software you like, I recommend running
> your own instance of Unbound on your exit node machines. Current Unbound
> versions support DNSSEC validation, QNAME minimisation, etc. While using
> your ISP's resolvers works as a fallback, a local resolver is better and
> easy enough to set up.

The inconvenient with running a "standard" local resolver from the
exit relays is the queries are forwarded in clear. So ISP and others
could inspect them.

I think I already mentioned about DNS-over-TLS in this list, so sorry for
duplicating a message, but I think it is a good alternative to encrypt the
queries, even if that means relying on third parties (that can be
different to Quad9, Cloudflare, etc.) as resolvers. 

I think https://dnsprivacy.org material worth a reading. The project
also provides a list of several test resolvers available. Some of them
do not log or censor traffic: 
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers

Disclaimer: I am part of the team who runs one of the no-logging test
servers. 

And of course, anyone can run a privacy-aware DNS resolver in a
different machine, to be used to forward the queries from the relays
from a privacy-aware stub resolver, such as stubby.

cheers,

Santiago

Attachment: signature.asc
Description: PGP signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] lets stop using central big DNS resolvers (Google, Level3, OpenDNS, Quad9, Cloudflare)
  - From: nusenu
- Re: [tor-relays] lets stop using central big DNS resolvers (Google, Level3, OpenDNS, Quad9, Cloudflare)
  - From: Tyler Durden
- Re: [tor-relays] lets stop using central big DNS resolvers (Google, Level3, OpenDNS, Quad9, Cloudflare)
  - From: nusenu
- Re: [tor-relays] lets stop using central big DNS resolvers (Google, Level3, OpenDNS, Quad9, Cloudflare)
  - From: Nathaniel Suchy (Lunorian)
- Re: [tor-relays] lets stop using central big DNS resolvers (Google, Level3, OpenDNS, Quad9, Cloudflare)
  - From: Ralph Seichter

Prev by Author: Re: [tor-relays] Info about Provider Scaleway and cheap "ARM server"
Next by Author: Re: [tor-relays] Problem with MyFamily config (doesn't work correctly)
Previous by thread: Re: [tor-relays] lets stop using central big DNS resolvers (Google, Level3, OpenDNS, Quad9, Cloudflare)
Next by thread: Re: [tor-relays] lets stop using central big DNS resolvers (Google, Level3, OpenDNS, Quad9, Cloudflare)
Index(es):
- Author
- Thread