Bright Star, thank you for your elaborate explanation! On Sep 10, 2013, at 09:45 , Bry8 Star wrote: > Set your Recursive/caching DNS-Server portion in BIND to listen on > 127.0.0.1:53, And set your machine's Network adapter's DNS-Server > settings to use only 127.0.0.1 as your DNS-Server, then all local > software can use your own DNS-Server, running on 127.0.0.1 ip-address.
That is how I have configured BIND now. I use the registrars' DNS server to resolve my exit nodes' name, so I don't have to expose port 53 publicly. > Best is to turn off any logging/recording in BIND/unbound dns > software, unless you are troubleshooting something. I have logging enabled because I am seeing a lot of these in /var/log/syslog: Sep 8 22:13:59 tor-exit named[11467]: lame server resolving 'www.example.hk' (in 'example.hk'?): 123.123.123.123#53 Sep 8 22:14:17 tor-exit named[11467]: error (connection refused) resolving 'www.example.com/A/IN': 123.123.123.123#53 Sep 8 22:14:18 tor-exit named[11467]: validating @0x123456789abc: www.example.com A: no valid signature found Sep 8 22:14:32 tor-exit named[11467]: error (unexpected RCODE REFUSED) resolving 'www.example.de/A/IN': 123.123.123.123#53 Are that many errors to be expected when operating a Tor exit (and thus resolving a lot of unusual domainnames)? Once someone can reassure me this is "normal", I will disable logging. Moreover, I noticed a lot of wierd upper/lowercase variants, like "wwW.eXAmPLe.CoM". Domainnames are case-insensitive, but the original spelling is forwarded through all resolvers, so this would enable adversaries to do some tracking/tracing if people have misconfigured their Tor client and suffer DNS leakage. May I suggest that Tor converts all domainnames to lowercase before trying to resolve them? // Yoriz
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
