On 11.05.18 13:55, Nathaniel Suchy (Lunorian) wrote: > My first thought is to use ISP DNS if it’s available - one of the best > things about Tor is the split of trust so why aren’t we doing that > with DNS? Another alternative is to use trusted recursive DNSCrypt > Resolvers (for example dnscrypt.ca - there are plenty of resolvers > like this so use a search engine of your choice to find them).
Assuming you can install whatever software you like, I recommend running your own instance of Unbound on your exit node machines. Current Unbound versions support DNSSEC validation, QNAME minimisation, etc. While using your ISP's resolvers works as a fallback, a local resolver is better and easy enough to set up. -Ralph _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays