Here's what I personally recommend:
1. Make sure that /etc/resolv.conf contains 127.0.0.1 only. Ensure you have no DNS servers specified in /etc/network/interfaces. This will ensure that all DNS traffic will go through dnsmasq. 2. You can start by editing /etc/dnsmasq.conf as follows: # Only listen on loopback interface=lo bind-interfaces # DNS servers no-resolv no-poll no-hosts server=8.8.4.4 server=8.26.56.26 server=74.82.42.42 server=64.6.64.6 server=8.8.8.8 server=8.20.247.20 server=64.6.65.6 # Performance cache-size=10000 dns-forward-max=2048 # No DHCP or TFTP no-dhcp-interface=1 3. The value of dns-forward-max is just a rough guess for a high-capacity Exit relay. Please feel free to tune it. 4. Use ss or netstat to make sure that dnsmasq only opens port 53 on the loopback interface (lo, 127.0.0.01) and does not listen on any external network interfaces. 5. If you have iptables configured, please make sure you allow traffic to port 53 from 127.0.0.1. 6. You can find the IP addresses of some public DNS servers here: https://www.lifewire.com/free-and-public-dns-servers-2626062. 7. Consider adding any DNS servers that your ISP may provide (ask them). 8. PLEASE exclude any DNS servers that attempt to censor/filter any web addresses (such as “Comodo Secure DNS”). 9. I recommend picking DNS servers with the lowest ping latency to your Tor relay (i.e. try pinging them manually). Thanks for running a Tor relay! - Igor -----Original Message----- From: tor-relays [mailto:tor-relays-boun...@lists.torproject.org] On Behalf Of jpmvtd...@laposte.net Sent: Saturday, October 7, 2017 10:39 AM To: tor-relays@lists.torproject.org Subject: [tor-relays] dnsmasq configuration for an exit relay (Debian) Hello, I am looking for instructions on how to configure dnsmasq on a Debian exit relay (in order to cache DNS queries). It looks like this package could introduce vulnerabilities if not handled properly, because it provides more than just local DNS cache. If I had to install it without any advice, I would do this : 1) Install dnsmaq package with the command "aptitude install dnsmask" . 2) Make sure that the first line of the file /etc/resolv.conf is "nameserver 127.0.0.1" (see <https://wiki.debian.org/HowTo/dnsmasq#Local_Caching> https://wiki.debian.org/HowTo/dnsmasq#Local_Caching ). 3) Make sure that the file /etc/dnsmasq.conf contains the line "listen-address=127.0.0.1" (to restrict dnsmasq to the local system). 4) Set the cache size to 10000 by adding or editing this line "cache-size=10000" in the file /etc/dnsmasq.conf (as suggested by Igor Mitrofanov here <https://lists.torproject.org/pipermail/tor-relays/2017-August/012708.html> https://lists.torproject.org/pipermail/tor-relays/2017-August/012708.html ). 5) Reboot (is it necessary ?). Does anyone think that this procedure could start a daemon listening on a port of my server ? Or is it safe to do this on my exit relay ? Regards _______________________________________________ tor-relays mailing list <mailto:tor-relays@lists.torproject.org> tor-relays@lists.torproject.org <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
