[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] DNS-over-TLS and DNSPrivacy.org (was: lets stop using central big DNS resolvers (Google, Level3, OpenDNS, Quad9, Cloudflare))



El 11/05/18 a las 14:52, Ralph Seichter escribió:
> On 11.05.18 13:55, Nathaniel Suchy (Lunorian) wrote:
> 
> > My first thought is to use ISP DNS if it’s available - one of the best
> > things about Tor is the split of trust so why aren’t we doing that
> > with DNS? Another alternative is to use trusted recursive DNSCrypt
> > Resolvers (for example dnscrypt.ca - there are plenty of resolvers
> > like this so use a search engine of your choice to find them).
> 
> Assuming you can install whatever software you like, I recommend running
> your own instance of Unbound on your exit node machines. Current Unbound
> versions support DNSSEC validation, QNAME minimisation, etc. While using
> your ISP's resolvers works as a fallback, a local resolver is better and
> easy enough to set up.

The inconvenient with running a "standard" local resolver from the
exit relays is the queries are forwarded in clear. So ISP and others
could inspect them.

I think I already mentioned about DNS-over-TLS in this list, so sorry for
duplicating a message, but I think it is a good alternative to encrypt the
queries, even if that means relying on third parties (that can be
different to Quad9, Cloudflare, etc.) as resolvers. 

I think https://dnsprivacy.org material worth a reading. The project
also provides a list of several test resolvers available. Some of them
do not log or censor traffic: 
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers

Disclaimer: I am part of the team who runs one of the no-logging test
servers. 

And of course, anyone can run a privacy-aware DNS resolver in a
different machine, to be used to forward the queries from the relays
from a privacy-aware stub resolver, such as stubby.

cheers,

Santiago

Attachment: signature.asc
Description: PGP signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays