[tor-relays] Unbound (Re: dnsmasq configuration for an exit relay (Debian))
Ralph Seichter
m16+tor at monksofcool.net
Sun Oct 8 10:23:27 UTC 2017
On 08.10.17 11:46, Toralf Förster wrote:
> May I asked, why you prefer unbound ?
The OP was concerned than dnsmasq "could introduce vulnerabilities if
not handled properly, because it provides more than just local DNS
cache". In contrast, Unbound has a single purpose(*), and I found it to
be a reliable, low-impact combination with my Tor nodes -- especially on
nodes with scant resources -- that needs very little config data and was
designed with security in mind.
I did not mean to say Unbound is the only choice, just that I strongly
prefer it over dnsmasq. For my authoritative nameservers I use BIND, but
when a resolver suffices, as is the case for Tor nodes, I use Unbound.
-Ralph
(*) http://info.menandmice.com/blog/bid/37244/10-Reasons-to-use-Unbound-DNS
is one example blog about Unbound. The DNSSEC config can be much simpler
though, when using auto-trust-anchor-file.
More information about the tor-relays
mailing list