The DNS 9.9.9.9
https://www.theregister.co.uk/2017/11/20/quad9_secure_private_dns_resolver/
At least is not blocking my exit node IP, simply because it is TOR! Nice.
So far.
Gerry
Hello Gerry,
Dr Gerard Bulger:
The DNS 9.9.9.9
https://www.theregister.co.uk/2017/11/20/quad9_secure_private_dns_resolver/
At least is not blocking my exit node IP, simply because it is TOR[sic]! Nice.
please do not use a filtering DNS servers on your exit relay. Apparently they also offer non-filtering DNS servers.
Using filtering DNS servers might gets you the badexit flag https://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays
Oh sorry, I did not make that clear. My exit is not using the 9.9.9.9 service, of course not, nor would I use anything similar.
I was simply interested to see that my IP address of the Tor server is not being blocked or seen as a rogue IP by the 9.9.9.9 service even though the address is clearly listed as a tor exit on blacklists.
Gerry
-----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of nusenu Sent: 22 November 2017 21:10 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Please do not use 9.9.9.9 as your DNS on an exit relay
Hello Gerry,
Dr Gerard Bulger:
The DNS 9.9.9.9
https://www.theregister.co.uk/2017/11/20/quad9_secure_private_dns_reso lver/
At least is not blocking my exit node IP, simply because it is TOR[sic]!
Nice.
please do not use a filtering DNS servers on your exit relay. Apparently they also offer non-filtering DNS servers.
Using filtering DNS servers might gets you the badexit flag https://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays
-- https://mastodon.social/@nusenu twitter: @nusenu_
I wouldn't recommend Quad9 (9.9.9.9) for personal use either.
During some very brief testing I ran into performance issues like 1500 ms response times and UDP timeouts.
Also, via the Global Cyber Alliance, there is quite a bit of partnership with various government entities:
https://www.globalcyberalliance.org/community-partners.html#partner-industri...
This leaves many unanswered questions. What criteria is used to define "malicious" traffic? Who gets to add domains to the blacklist? Etc.
On Wed, Nov 22, 2017, at 15:59, tor wrote:
I wouldn't recommend Quad9 (9.9.9.9) for personal use either.
During some very brief testing I ran into performance issues like 1500 ms response times and UDP timeouts.
Also, via the Global Cyber Alliance, there is quite a bit of partnership with various government entities:
https://www.globalcyberalliance.org/community-partners.html#partner-industri...
This leaves many unanswered questions. What criteria is used to define "malicious" traffic? Who gets to add domains to the blacklist? Etc.
One note, 9.9.9.10 does no filtering, but sadly also doesn't enforce DNSSEC. It has the same privacy policy and similar.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 11/23/2017 03:10 AM, Dave Warren wrote:
One note, 9.9.9.10 does no filtering, but sadly also doesn't enforce DNSSEC. It has the same privacy policy and similar.
The former is good, the later not a problem, b/c DNSSEC validation has to be made by the client nevertheless.
I do persoanlly use 9.9.9.10 together with dnsmasq (whihc does the DNSSEC job) at my desktop b/c I couldn't get DNSSEC woring with the DNS servs of my ADSL provider here in Hamburg.
- -- Toralf PGP C4EACDDE 0076E94E
On 2017-11-23 11:23, Toralf Förster wrote:
On 11/23/2017 03:10 AM, Dave Warren wrote:
One note, 9.9.9.10 does no filtering, but sadly also doesn't enforce DNSSEC. It has the same privacy policy and similar.
The former is good, the later not a problem, b/c DNSSEC validation has to be made by the client nevertheless.
In theory, sure. But for users who don't understand DNSSEC and use an OS that doesn't do this for them, having the server block DNSSEC failures is better than nothing.
2017-11-23 18:23 GMT+00:00 Toralf Förster toralf.foerster@gmx.de:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 11/23/2017 03:10 AM, Dave Warren wrote:
One note, 9.9.9.10 does no filtering, but sadly also doesn't enforce DNSSEC. It has the same privacy policy and similar.
The former is good, the later not a problem, b/c DNSSEC validation has to
be made by the client nevertheless.
I do persoanlly use 9.9.9.10 together with dnsmasq (whihc does the DNSSEC
job) at my desktop b/c I couldn't get DNSSEC woring with the DNS servs of my ADSL provider here in Hamburg.
Toralf PGP C4EACDDE 0076E94E -----BEGIN PGP SIGNATURE-----
iI0EAREIADUWIQQaN2+ZSp0CbxPiTc/E6s3eAHbpTgUCWhcSCRccdG9yYWxmLmZv ZXJzdGVyQGdteC5kZQAKCRDE6s3eAHbpTjRxAPwMNZQCFk7av7cyMbRCjCyqIPq4 91jnvwX6lLXnL9bEywEAhaZgeF3oFKvRENSMJls/NeSHm/jfCXGjrQ/0/yaGChQ= =zma+ -----END PGP SIGNATURE-----
I wrote something kinda related to this thread to help a few friends; w.i.p. https://openbsd-br.org/pub/egypcio/debian-unbound-socat-tor.sh
you are invited to read the code before running/testing. feel free to modify, or w/e.
SHA256 (debian-unbound-socat-tor.sh) 23a74b162af7b219827c84be669083a4595d6fee15c585ac73ce10d17cece9b5
-- Vinícius Zavam keybase.io/egypcio/key.asc
tor-relays@lists.torproject.org
-
Dave Warren -
Dr Gerard Bulger -
nusenu -
tor -
Toralf Förster -
Vinícius Zavam