[tor-relays] DNS Server

Rose rosethorn at riseup.net
Wed Jan 23 08:01:03 UTC 2019


adversaries can already see what IP addresses you are connecting to,
even though they can't see your DNS queries, they can easily just do a
reverse DNS on the IP addresses you connect to, to find out what you
were doing.

On 23/01/19 2:32 PM, dns1983 at riseup.net wrote:
> In the threat model that I worry about, DNS are part of the problem. If
> a malicious entity can put together DNS data with other big data, It can
> increases its power and becomes a more dangerous threat.
> 
> But as I said, I lack many networking notions.
> 
> Anyway I find very satisfying the solutions you proposed to me. Thank
> you very much.
> 
> Cheers
> 
> Ale
> 
> Il 23/01/19 00:42, eric gisse ha scritto:
>> This is what I do:
>>
>> My tor exit node runs on its own, but I have a full caching bind
>> server on a different VM. This services some domains I run, with ACLs
>> to do regular DNS.
>>
>> I use the following DNS servers:
>>
>> 2606:4700:4700::1111 -- Cloudflare
>> 2001:1608:10:25::1c04:b12f -- https://dns.watch/
>> 2600::1 -- Sprint
>>
>> No individual DNS provider inspires me with amazing confidence,
>> however the caching server turns my bind instance into a pretty
>> solidly constructed one.
>>
>> 1) I don't really think v6 snooping/monitoring is "there yet". Thin
>> gruel, but still.
>> 2) DNS doesn't go out the same stack in the case of v4 requests and
>> doesn't go out the same ip for v6. Sure, you can associate to within
>> the same /64 but that's just more effort any attacker would have to
>> do.
>> 3) I cache a LOT.
>>
>> Check out these nameserver cache statistics:
>>
>> services /var/log/named # grep -i cache stats
>> ++ Cache Statistics ++
>> [View: internal (Cache: internal)]
>>            251588520 cache hits
>>               452018 cache misses
>>             50306019 cache hits (from query)
>>             63441802 cache misses (from query)
>>
>> I cache a LOT.
>>
>> Think of your threat model - what are you worried about? Is DNS really
>> your concern?
>>
>> On Tue, Jan 22, 2019 at 2:53 AM <dns1983 at riseup.net> wrote:
>>> Hello,
>>>
>>> i'm a student, so I lack many networking notions.
>>>
>>> Which are the most privacy reliable public dns servers? I don't exactly know how choose a third part DNS server. I read that cloudfare servers are audited by third parties but I'm not sure that I can trust. do you think that audition is trustworthy?
>>>
>>> Thanks
>>> --
>>> Inviato dal mio dispositivo Android con K-9 Mail. Perdonate la brevità._______________________________________________
>>> tor-relays mailing list
>>> tor-relays at lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 


More information about the tor-relays mailing list