Hi, If you run your own BIND/named as Authoritative DNS-Server, for some domain-name that you own, and if it is also configured to function as a Recursive DNS-Server for local software (in that computer), and if you have enabled DNSSEC (for recursive side), then that would be better, imho.
Such, Recursive DNS-Server will be slightly slow as DNS-Server itself doing query and getting results and responding to clients when a domain-name is queried for 1st time, but any 2nd time or later query for same domain-name, will be super fast, as DNS-Server will use cached/stored dns result to provide response. And DNSSEC authenticated results are very very very ACCURATE, comparatively much much more genuine/original. DNS-Server's cache will automatically expire/remove DNS-records, based on expiry time specified in TTL rdata value in each DNS-record. If TTL rdata is not specified, then such DNS-record will remain in cache for longer time.
Set your Recursive/caching DNS-Server portion in BIND to listen on 127.0.0.1:53, And set your machine's Network adapter's DNS-Server settings to use only 127.0.0.1 as your DNS-Server, then all local software can use your own DNS-Server, running on 127.0.0.1 ip-address.
Do not use remote DNS-Servers like Google DNS Servers, as they LOGs/RECORDs indefinitely. Using your own DNS-Server (mentioned above) is better than using any other's DNS-Server. You can use Google dns server only when you are using a VM (or physical machine) when you've configured it's (operating) system to obtain ALL dns results via going through Tor-network. Computer which uses Tor-client or Tor-server software, such machine should not use Google DNS, but connecting to Google DNS-Servers via Tor-network is ok, imho. If you do not use any Tor or any Anonymity related software, then using Google-DNS directly is somewhat ok, but still try to avoid, as they do not respect user's Privacy (a fundamental) rights.
If you must or want to specify remote DNS-Server, then see/find OpenNIC based DNS Servers, (opennic's website have feature to list dns-servers located in various areas and can also show result based on feature), read description, some will show they DO NOT LOG/RECORD, some will show they support DNSSEC, use such. You may also see info on other remote Recursive/Caching DNS-Servers from : OARC, CZ.NIC, Swiss Privacy Foundation, German Privacy Foundation e.V., etc. See ref [1].
If you configure your DNS-Server(s) to use TLS/SSL certificate based encryptions, or DNScrypt, (for connecting with one or set of remote DNS-Servers), (basically, as long as you are using some type of encryption for DNS query and result), then someone in the middle cannot see your open DNS packets, and cannot modify/alter it either.
If you use or will use remote DNS-Servers, then you should use encrypted connection to DNS-Servers, and you should connect to such via Tor-network (aka, anonymity supported network).
DNS2SSOCKS, socat, etc various tools can allow a machine to use remote DNS servers via Tor-network, (Tor network is accessed via SOCKS5 support/protocol).
"Unbound" (from NLnet Labs), a full DNSSEC supported DNS-Resolver software, (and also BIND from ISC), can be configured locally, to connect with DNS2SOCKS, socat, etc tools based tunnel and connect with remote DNS-Servers by going thru Tor-network. But your DNS query and result logs/records will remain in the hand of remote DNS server operators, unless they declared that they do not Log/Record and trust-worthy for that matter. Or alternatively, configure DNS server or resolver software to function as your OWN full Recursive/Caching DNS-Server. Then your own DNS query records/logs will remain with you.
Best is to turn off any logging/recording in BIND/unbound dns software, unless you are troubleshooting something.
You must Install and configure your DNS-Server or Resolver software to run from inside the Chroot/Jail environment.
-- Bright Star.
[1] https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver/PublicDnsResol...
Received from Yoriz, on 2013-09-07 11:47 AM:
My VPS hoster has configured DNS as follows:
$ cat /etc/resolv.conf nameserver 8.8.8.8 nameserver 8.8.4.4
I believe these are Google's DNS servers. Unfortunately, they are somehow unreliable (possible rate-limited by Google). My tor logs are filled with:
Sep 07 16:37:24.000 [warn] eventdns: All nameservers have failed Sep 07 16:37:25.000 [notice] eventdns: Nameserver 8.8.8.8:53 is back up Sep 07 16:37:35.000 [warn] eventdns: All nameservers have failed Sep 07 16:37:35.000 [notice] eventdns: Nameserver 8.8.4.4:53 is back up
Are there other free, open DNS services that might be more reliable/less rate-limited?
Does Tor use the system DNS configuration? In other words, if I would run a local Bind daemon, would my tor exit use it? Is that bad for the safety of the tor user, as the Bind daemon effectively becomes an audit log of all domains visited by tor users?
// Yoriz
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays