Maintained by: NLnet Labs

[Unbound-users] unbound + tor

ml at ruggedinbox.com
Wed Aug 13 20:45:13 CEST 2014


Hi we are trying to figure out the best way to handle DNS requests to 
both clearnet and Tor onionland,
while still having MX lookups working, in order to correctly send emails 
to clearnet hosts.

Currently we are using just Tor, configured as transparent proxy and DNS 
resolver.
This is nice because all DNS requests are done thru Tor
but MX lookups will fail, and for an email provider service, this is a 
show stopper.

Various online resources suggest to use Tor only to resolve onion 
addresses
and Unbound for all the rest,
but we are having difficulties in configuring Unbound.

This is Debian 7 (wheezy)
and the configuration we are talking about should be something like 
this:


# cat /etc/unbound/unbound.conf

server:
     # The following line will configure unbound to perform cryptographic
     # DNSSEC validation using the root trust anchor.
     auto-trust-anchor-file: "/var/lib/unbound/root.key"
     tcp-upstream: yes
     do-udp: no

domain-insecure: "onion"
private-domain: "onion"
do-not-query-localhost: no

forward-zone:
     name: "onion"
     forward-addr: 127.0.0.1 at 54



54 is Tor DNS resolver port.
As you see, we are not Unbound experts, and this configuration does not 
work.

Can you please supply a minimal Unbound configuration, that accepts DNS 
queries only from localhost
and that routes .onion requests to Tor on port 54 ?


Thanks for this great project and wish you great holidays!
RuggedInbox team