-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 06/19/2016 09:59 PM, pa011 wrote: > Or are there better working solutions?
I do have only 127.0.0.1 set in my resolv.conf and do use dnsmasq together with strict DNSSEC. works like a charm and DNSSEC is really a good thing IMO. The configuration is straight forward: # grep -v -e '#' -e'^$' /etc/dnsmasq.conf conf-file=/usr/share/dnsmasq/trust-anchors.conf dnssec dnssec-check-unsigned no-resolv server=<snip> server=<snip> server=<snip> server=<snip> server=<snip> server=<snip> cache-size=10000 Furthermore it reduces the load to upstream DNS servers by 1/3 : # pkill -SIGUSR1 dnsmasq; sleep 1; tail /var/log/messages | grep dnsmasq Jun 19 22:14:49 ms-magpie dnsmasq[1442]: time 1466367289 Jun 19 22:14:49 ms-magpie dnsmasq[1442]: cache size 10000, 91142/4075150 cache insertions re-used unexpired cache entries. Jun 19 22:14:49 ms-magpie dnsmasq[1442]: queries forwarded 1665387, queries answered locally 695441 Jun 19 22:14:49 ms-magpie dnsmasq[1442]: DNSSEC memory in use 174384, max 311808, allocated 999984 - -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAldm/cIACgkQxOrN3gB26U7r8wD8DDPMBmNHc3ENAQfeYd0clt3X xPZdiFXwiQ6a94niYu4A/0phgRXBP++MgJOURWHlN3irSJiVkniuUcChSXY8wr8K =ugdK -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
