# Exit Relay Configuration This setup process includes installing the Anon client using the APT repository, configuring the client as an Exit, adding an Exit Notice, setting up firewall rules and guidelines on how to achieve Double-reverse DNS. {% hint style="danger" %} It is important to understand that running an Exit relay requires more maintenance and security awareness than in comparison to a Middle relay. Read our [Exit Guidelines](https://docs.anyone.io/relay/guidelines/exit-guidelines) before installing an Exit Relay. It is recommended to **never** host an Exit relay at home or other private premises. {% endhint %} ### **Install using the** `apt` **repository** ```sh . /etc/os-release sudo wget -qO- https://deb.en.anyone.tech/anon.asc | sudo tee /etc/apt/trusted.gpg.d/anon.asc sudo echo "deb [signed-by=/etc/apt/trusted.gpg.d/anon.asc] https://deb.en.anyone.tech anon-live-$VERSION_CODENAME main" | sudo tee /etc/apt/sources.list.d/anon.list ``` ### Fully upgrade the system ```sh sudo apt-get update sudo apt-get upgrade ``` ### Install anon ```sh sudo apt-get install anon ``` ### Configure anonrc Edit the anon configuration: {% code fullWidth="false" %} ```sh sudo nano /etc/anon/anonrc ``` {% endcode %} Use the template below and replace with a non-personal mail address for `ContactInfo` and change `Nickname` to your liking. ``` Nickname ExitRelayName ContactInfo email@me.com Log notice file /var/log/anon/notices.log ORPort 9001 SocksPort 0 ExitRelay 1 IPv6Exit 0 DirPort 80 DirPortFrontPage /etc/anon/anyone-exit-notice.html ReevaluateExitPolicy 1 ExitPolicy reject *:25 ExitPolicy reject *:587 ExitPolicy reject *:465 ExitPolicy reject *:2525 ExitPolicy reject *:3389 ExitPolicy reject *:23 ExitPolicy reject *:465 ExitPolicy reject *:3128 ExitPolicy reject *:5900 ExitPolicy reject *:9999 ``` ### Download the Anyone Exit Notice ```sh sudo curl -o /etc/anon/anyone-exit-notice.html -fsSLO https://raw.githubusercontent.com/anyone-protocol/anon-install/refs/heads/main/html/anyone-exit-notice.html ``` ### Add a non-personal mail address to the Exit Notice Edit line 101 in the file `anyone-exit-notice.html` and change the value `EMAIL_ADDRESS` to a non-personal mail address to be able to respond to Abuse complaints. ```sh sudo nano +101 /etc/anon/anyone-exit-notice.html ``` ### Restart anon service to apply anon configuration ```sh sudo systemctl restart anon ``` If additional changes are made to the `anyone-exit-notice.html` file, reloading the anon service to apply the changes is necessary. Reloading is executed with the command: ```sh sudo systemctl reload anon ``` ### Apply firewall rules This example assumes default ports are used for ORPort (`9001`), SSH (`22`) and HTTP (`80`). Change these values from the example if needed. ```sh sudo apt-get install ufw sudo ufw allow 9001 sudo ufw allow 80 sudo ufw limit 22 sudo ufw enable ``` ### Double-reverse DNS It is **highly recommended** that you set up a valid Double-reverse DNS, also known as a "double reverse lookup", which refers to the process of performing a reverse DNS lookup on the result of a forward DNS lookup. This is typically done for purposes of adding legitimacy to the identity of a remote system. To achieve this the two DNS records, **PTR** and **A,** need to be configured for an IP-address. {% hint style="info" %} * **Pointer Record (PTR)**: Also called **Reverse DNS** is a DNS record that maps an IP address to a domain name, commonly used for reverse DNS lookups to verify the authenticity of the sender's domain. PTR adds another layer of legitimacy when accessing services and for the destination to easier evaluate the source. * **Address Record (A):** The most commonly used DNS record that links a domain name to an IP address, enabling devices to find and connect to websites and servers on the internet. {% endhint %} For example, if you have a domain name like `example.com` with an IP address of 192.0.2.1, a double-reverse DNS lookup would involve: **Pointer Record (PTR)** ``` Reverse lookup: Resolving 195.1.2.3 to example.com. ``` **Address Record (A)** ``` Forward lookup: Resolving example.com to 195.1.2.3. ``` ### How do I achieve Double-reverse DNS? As mentioned above the two DNS records that need to be configured are **A** and **PTR**. For the exact steps on how to configure the two DNS records then it is important to refer to the providers documentation on how to achieve this. Mind that multiple Exit IP-addresses must **not** have identical DNS records, so adding an index number per Exit, like `anyone-exit-1.example.com` is a suggestion. **Pointer Record (PTR)** In the example where an Exit Relay is hosted at a cloud provider, then the control panel of the VPS will provide the possibility to configure a PTR record for your Exit IP. This setting can also be referred to as Reverse DNS, rDNS, Reverse mapping and more. #### Address Record (A) **Here's a simplified breakdown:** 1. **Acquire a domain name:** Choose a domain registrar (e.g., GoDaddy, Namecheap). Search for a domain name and purchase it. 2. **Manage DNS Settings:** Log in to your domain registrar's account. Go to the DNS management section. 3. **Create an A Record:** Add a new A record for your domain. Set the Hostname (e.g., `anyone-exit-1.example.com`). Enter the Public IP address of your Exit relay and save the record.
{% hint style="warning" %} DNS changes can take between 24 and 48 hours to fully propagate across the internet. However, it can sometimes be much quicker for simple DNS changes, or longer, especially for complex DNS configurations or in specific regions. {% endhint %}