[tor-relays] unbound and DNS-over-TLS (dnsmasq configuration for an exit relay (Debian))
Santiago R.R.
santiagorr at riseup.net
Mon Oct 9 08:16:20 UTC 2017
El 09/10/17 a las 09:32, Ralph Seichter escribió:
> On 08.10.2017 23:05, Santiago R.R. wrote:
>
> > I would also suggest to use DNS-over-TLS, so (exit) relays could be
> > able to encrypt their queries to a privacy-aware DNS resolver [...]
>
> I like SSL for the resulting cost increase in listening to a connection.
AFAIU, some recursive implementations already support TCP fast open
(RFC7413) to reduce the cost of opening a connection.
They also pipeline to send multiple queries over a single TCP
connection.
> However, the Unbound documentation states:
>
> ssl-upstream: <yes or no> Enabled (sic) or disable whether the
> upstream queries use SSL only for transport. Default is no. Useful
> in tunneling scenarios.
>
> Do you have any data on the percentage of queries that fail with SSL
> *only* because upstream nameservers don't support SSL? I imagine the
> majority of servers don't support it (my own authoritative nameservers
> among them).
No, I don't. And I suppose you're right, the majority of upstream
nameservers don't support it. Related RFCs are quite recent, so it's not
surprising.
My stubby resolver works well, and I don't realize about issues querying
external domains.
> Also, manually adding forward-zone entries implies trusting specific
> servers beyond the regular root zone servers, which rubs me the wrong
> way.
Yes, indeed. I trust the people running the relays I listed.
And there is also DNSSEC, where available.
-- Santiago
More information about the tor-relays
mailing list