Looks good, although it’s generally better to not use Hetzner (or other hosting provider) DNS resolvers. Hetzner specifically already has a large amount of potential influence over the Tor network, so it’s better to not give them even more insight in to the Tor network’s DNS queries.
I’d say: either resolve the requests yourself (which is easy to do) or use a combination of some external (DoH, DoT, DoQ) DNS services with better privacy protections, such as Applied-Privacy (at the cost of latency). When DNS records are cached, most queries will be handled from cache anyway (lowering average latency considerably). You could even increase minTTL to like 300 seconds to combat those crappy <60s TTLs to increase cache hit rate even more.
About firewalls: it’s not mandatory or anything, but a basic firewall can filter some DoS traffic here and there so that it doesn’t reach the Tor processes (which is often more costly in terms of CPU cycles and memory consumption). If you want to have a basic firewall:
- Make sure to have a rule to not lock yourself out from SSH. And make sure to have a rule that allows you to connect to the SSH server (e.g. by allowing your home/management IP on port 22).
- Often UDP isn’t necessary for running Tor, so you can probably block it completely.
- It’s important to allow established connections, to allow incoming TCP traffic to your relay’s IP(s)/port(s) and for relays to be able to connect externally (outgoing) to other relays (for guard/middle) and the general internet (for exit) as well.
I don’t use Linux of UFW, but looking at the documentation it should be something like the following:
ufw default deny incoming
ufw default allow outgoing
ufw allow in proto tcp from $MANAGEMENT_IP to port 22
ufw allow in proto tcp to any port $RELAY_PORT
ufw enable
This doesn’t block outgoing UDP traffic, but I must say, UFW lives up to its name with such easy syntax ;). Perhaps some Linux users with a better understanding of UFW can chime in for some better/more specific ruleset. Also do note that firewalling all traffic will use resources as well. If you have some CPU and memory headroom, then you probably don’t have to worry about this with a few relays though.