From 8d5ded3bf6b2365cf106cc580103f815aaf1fe5a Mon Sep 17 00:00:00 2001
From: Daniel Winzen <daniel@danwin1210.me>
Date: Fri, 1 Oct 2021 22:34:35 +0200
Subject: [PATCH] remove unnecessary dnsmasq proxy between bind9/tor

---
 README.md                   | 4 ++--
 etc/bind/named.conf.options | 5 +++--
 etc/dnsmasq.d/custom        | 6 ------
 install_binaries.sh         | 2 +-
 4 files changed, 6 insertions(+), 11 deletions(-)
 delete mode 100644 etc/dnsmasq.d/custom

diff --git a/README.md b/README.md
index 2cc39d9..a052dfe 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ The configuration was tested with a standard Debian buster and Ubuntu 18.04 LTS
 
 Uninstall packages that may interfere with this setup:
 ```
-DEBIAN_FRONTEND=noninteractive apt-get purge -y apache2* resolvconf eatmydata exim4* imagemagick-6-common mysql-client* mysql-server* nginx* libnginx-mod* php7* && systemctl disable systemd-resolved.service && systemctl stop systemd-resolved.service
+DEBIAN_FRONTEND=noninteractive apt-get purge -y apache2* dnsmasq* eatmydata exim4* imagemagick-6-common mysql-client* mysql-server* nginx* libnginx-mod* php7* resolvconf && systemctl disable systemd-resolved.service && systemctl stop systemd-resolved.service
 ```
 
 If you have problems resolving hostnames after this step, temporarily switch to a public nameserver like 1.1.1.1 (from CloudFlare) or 8.8.8.8 (from Google)
@@ -40,7 +40,7 @@ deb tor://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian
 
 Copy (and modify according to your needs) the site files in `var/www` to `/var/www`, `usr/local` to `/usr/local`  and the configuration files in `etc` to `/etc` after installation has finished. Then restart some services:
 ```
-systemctl daemon-reload && systemctl restart bind9.service && systemctl restart dnsmasq.service && systemctl restart tor@default.service
+systemctl daemon-reload && systemctl restart bind9.service && systemctl restart tor@default.service
 ```
 
 Now there should be an onion domain in `/var/lib/tor/hidden_service/hostname`:
diff --git a/etc/bind/named.conf.options b/etc/bind/named.conf.options
index 40a8c78..fa5c889 100644
--- a/etc/bind/named.conf.options
+++ b/etc/bind/named.conf.options
@@ -20,7 +20,8 @@ options {
 	//========================================================================
 	dnssec-validation auto;
 
-	listen-on-v6 port 55 { ::1; };
-	listen-on port 55 { 127.0.0.1; };
+	listen-on-v6 port 53 { ::1; };
+	listen-on port 53 { 127.0.0.1; };
 	recursion yes;
+	validate-except {"onion";};
 };
diff --git a/etc/dnsmasq.d/custom b/etc/dnsmasq.d/custom
deleted file mode 100644
index 5b1e08c..0000000
--- a/etc/dnsmasq.d/custom
+++ /dev/null
@@ -1,6 +0,0 @@
-interface=lo
-server=127.0.0.1#55
-server=/.onion/127.0.0.1#54
-no-resolv
-cache-size=10000
-dnssec
diff --git a/install_binaries.sh b/install_binaries.sh
index 215db34..563b335 100755
--- a/install_binaries.sh
+++ b/install_binaries.sh
@@ -3,7 +3,7 @@ set -e
 
 # install all required packages
 DEBIAN_FRONTEND=noninteractive apt-get update
-DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y apt-transport-tor bash-completion bind9 brotli bzip2 ca-certificates clamav-daemon clamav-freshclam curl dovecot-imapd dovecot-lmtpd dovecot-pop3d git dnsmasq hardlink haveged iptables libio-socket-ip-perl libsasl2-modules locales locales-all logrotate lsb-release mariadb-server nano postfix postfix-mysql quota quotatool razor redis rsync ssh subversion tor unzip vim wget xz-utils zip zopfli
+DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y apt-transport-tor bash-completion bind9 brotli bzip2 ca-certificates clamav-daemon clamav-freshclam curl dovecot-imapd dovecot-lmtpd dovecot-pop3d git hardlink haveged iptables libio-socket-ip-perl libsasl2-modules locales locales-all logrotate lsb-release mariadb-server nano postfix postfix-mysql quota quotatool razor redis rsync ssh subversion tor unzip vim wget xz-utils zip zopfli
 # build dependencies
 DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y autoconf automake bison cmake g++ gcc ghostscript gnupg `apt-cache search --names-only 'libargon2(-0)?-dev' | awk '{print $1;}' | head -n1` libbrotli-dev libbz2-dev libc-client2007e-dev libcurl4-openssl-dev libde265-dev libdjvulibre-dev libedit-dev `apt-cache search --names-only 'libenchant(-2)?-dev' | awk '{print $1;}' | head -n1` libffi-dev `apt-cache search --names-only libfreetype6?-dev | awk '{print $1;}' | head -n1` libfftw3-dev libfribidi-dev libgd-dev libgmp-dev libgpg-error-dev libgpgme-dev libharfbuzz-dev libkrb5-dev libldap2-dev liblmdb-dev liblqr-1-0-dev libmariadb-dev libonig-dev libopenexr-dev libopenjp2-7-dev libpango1.0-dev libpcre3-dev libpng-dev libpspell-dev libqdbm-dev libraqm-dev libraw-dev libreadline-dev librsvg2-dev libsasl2-dev libsodium-dev libsqlite3-dev libssl-dev libsystemd-dev libtidy-dev libtool libwebp-dev libwmf-dev libx265-dev libxml2-dev libxpm-dev libxslt1-dev libzip-dev libzstd-dev make poppler-utils ragel re2c yasm zlib1g-dev