Maintained by: NLnet Labs

[Unbound-users] "Tunnel" dnssec through local forward-zone?

Paul Wouters
Tue Jul 26 06:41:30 CEST 2011

On Tue, 26 Jul 2011, Anders Sundman wrote:

> Indeed, I am trying to set up a sane DNS resolution strategy for tor.
>> Try this unbound patch, and set unbound to use tcp only in unbound.conf
>> using
>> do-udp:no and do-tcp:yes.
> I've tried your patch (using yes/yes as suggested in a later mail).  It
> seems to be working just fine.  Unbound is resolving all types over tcp
> through tor, with and without dnssec.  Perfect!


> I'm tempted to drop ttdnsd.  It has served me well (thanks Jake), but
> it's always nice to get rid of complexity.  But, before doing so I have
> to ponder what it's implications will be on anonymity.  It's not obvious
> to me that using unbound tcp over tor is any more or less anonymous than
> using the tor resolution.
> That might be a discussion best suited for another (tor) mailing list
> though.

Note that unbound's behaviour can be easilly changed using its python
module. For instance, TTLs could be changed randomly or capped, to
improve anonymity. But indeed, take it up with the tor people.

The easiest integration would be to configure unbound with a forwarder for XXX where XXX would lead into a tor virtual circuit to google's open resolver (that supports dnssec). tor could frequently change
the exit node without unbound needing to know its routing changed.

Wouter: could the patch be stuck into a configurable option? :)