<div dir="ltr">No outbound filters, this is my config:<div><br><div><i>*filter</i></div><div><i>:INPUT ACCEPT [0:0]</i></div><div><i>:FORWARD ACCEPT [0:0]</i></div><div><i>:OUTPUT ACCEPT [0:0]</i></div><div><i>-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT</i></div><div><i>-A INPUT -p icmp -j ACCEPT</i></div><div><i>-A INPUT -i lo -j ACCEPT</i></div><div><i>-A INPUT -p tcp -m comment --comment "SSH" -s x.x.x.x -m state --state NEW -m tcp --dport 22 -j ACCEPT</i></div><div><i>-A INPUT -p tcp -m comment --comment "Tor" -m state --state NEW -m tcp --dport 80 -j ACCEPT</i></div><div><i>-A INPUT -p tcp -m comment --comment "Tor" -m state --state NEW -m tcp --dport 443 -j ACCEPT</i></div><div><i>-A INPUT -j REJECT --reject-with icmp-host-prohibited</i></div><div><i>-A FORWARD -j REJECT --reject-with icmp-host-prohibited</i></div><div><i>COMMIT</i></div></div><div><i><br></i></div><div>If I stop tor then "dig @<a href="http://127.0.0.1">127.0.0.1</a> <a href="http://google.com">google.com</a>" works 100%. It's seems like the pattern is that when tor traffic builds up so do DNS failures. And then my dig @<a href="http://127.0.0.1">127.0.0.1</a> only succeeds about 0.1% of the time. At this stage large amounts these errors start appearing:</div><div><br></div><div><i><span style="color:rgb(33,33,33)">> Jan 17 19:27:33 torexit unbound: [559:0] notice: remote address isĀ </span><span style="color:rgb(33,33,33)">192.42.93.30 port 53</span><br style="color:rgb(33,33,33)"><span style="color:rgb(33,33,33)">> Jan 17 19:27:33 torexit unbound: [559:0] notice: sendto failed: OperationĀ </span><span style="color:rgb(33,33,33)">not permitted</span><br style="color:rgb(33,33,33)"></i></div><div><span style="color:rgb(33,33,33)"><br></span></div><div><span style="color:rgb(33,33,33)">Quintin</span></div><div><span style="color:rgb(33,33,33)"><br></span></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Jan 18, 2018 at 12:42 PM nusenu <<a href="mailto:nusenu-lists@riseup.net">nusenu-lists@riseup.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><tor-admin@portaltodark.world> wrote:<br>
> Resent under the correct alias.<br>
><br>
> I'm having high amounts of failures on this VPS (PulseServers). I run a<br>
> local unbound instance, and see an incredible amount of:<br>
> Jan 17 19:27:33 torexit unbound: [559:0] notice: sendto failed: Operation<br>
> not permitted<br>
> Jan 17 19:27:33 torexit unbound: [559:0] notice: remote address is<br>
> 198.97.190.53 port 53<br>
> Jan 17 19:27:33 torexit unbound: [559:0] notice: sendto failed: Operation<br>
> not permitted<br>
> Jan 17 19:27:33 torexit unbound: [559:0] notice: remote address is<br>
> 192.42.93.30 port 53<br>
> Jan 17 19:27:33 torexit unbound: [559:0] notice: sendto failed: Operation<br>
> not permitted<br>
> Jan 17 19:27:33 torexit unbound: [559:0] notice: remote address is<br>
> 192.35.51.30 port 53<br>
> Jan 17 19:27:33 torexit unbound: [559:0] notice: sendto failed: Operation<br>
> not permitted<br>
><br>
> To give proportion to "incredible amount",<br>
> Jan 17 19:21:32 torexit rsyslogd: imjournal: 9897 messages lost due to<br>
> rate-limiting<br>
> Jan 17 19:22:02 torexit journal: Suppressed 1216 messages from<br>
> /system.slice/unbound.service<br>
> Jan 17 19:22:32 torexit journal: Suppressed 1209 messages from<br>
> /system.slice/unbound.service<br>
> Jan 17 19:23:02 torexit journal: Suppressed 1827 messages from<br>
> /system.slice/unbound.service<br>
> Jan 17 19:23:32 torexit journal: Suppressed 2333 messages from<br>
> /system.slice/unbound.service<br>
> Jan 17 19:24:02 torexit journal: Suppressed 3029 messages from<br>
> /system.slice/unbound.service<br>
> Jan 17 19:24:32 torexit journal: Suppressed 2822 messages from<br>
> /system.slice/unbound.service<br>
> Jan 17 19:25:02 torexit journal: Suppressed 2715 messages from<br>
> /system.slice/unbound.service<br>
> Jan 17 19:25:32 torexit journal: Suppressed 3166 messages from<br>
> /system.slice/unbound.service<br>
> Jan 17 19:26:02 torexit journal: Suppressed 4093 messages from<br>
> /system.slice/unbound.service<br>
> Jan 17 19:26:32 torexit journal: Suppressed 45878 messages from<br>
> /system.slice/unbound.service<br>
> Jan 17 19:27:02 torexit journal: Suppressed 30125 messages from<br>
> /system.slice/unbound.service<br>
> Jan 17 19:27:32 torexit journal: Suppressed 31764 messages from<br>
> /system.slice/unbound.service<br>
> Jan 17 19:28:02 torexit journal: Suppressed 31229 messages from<br>
> /system.slice/unbound.service<br>
><br>
> Could it be limits from the VPS provider on the amount of outbound udp/53<br>
> connections?<br>
<br>
To me this looks more like a local problem?<br>
Are you doing any packet filtering on the host (outbound)?<br>
<br>
Does DNS work on that host if you try manual queries?<br>
<br>
>From the IPs in your logs I assume your unbound is configured to query<br>
recursively itself (no upstream forwarding) that is good, can you confirm that<br>
and provide your unbound config + iptalbes -vnL?<br>
<br>
<br>
--<br>
<a href="https://mastodon.social/@nusenu" rel="noreferrer" target="_blank">https://mastodon.social/@nusenu</a><br>
twitter: @nusenu_<br>
<br>
</blockquote></div></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><font color="#000000" face="monospace"><span style="font-size:10.5625px">0101100101000001010010000101011101000101010010000010000001000010</span></font></div><div><font color="#000000" face="monospace"><span style="font-size:10.5625px">0100110001000101010100110101001100100000010110010100111101010101</span></font></div></div></div>