Hi,
We will shortly be decommissioning the server that ran TorDNSEL and Tor Check until now. The TorDNSEL software will be replaced on the new server with software we will be able to more easily maintain going forward. Service operators using the Tor Exit List service may need to take action to avoid service interruption, details are contained later in this post.
## For exit relay operators:
The primary change that comes with the new software is that exit policies are no longer considered when deciding if an IP address is to be included in the list. If we have observed an exit relay using an IP address through our active measurements, this will be listed as an exit relay in the new service regardless of the exit policy.
For exit relay operators that also route their own traffic via their exit relay's IP address and have exit policies specifically to deny access to services that block Tor traffic, such that those services will allow you to connect without Tor, this will no longer work. We recommend using a dedicated IP address for your exit relay. That allows your ISP to more easily recognize that abuse complaints and DMCA notices can be forwarded to you to be quickly responded to with a boilerplate response, as opposed to cutting off your Internet access or providing your personal information to the copyright cartels.
## For service operators:
Depending on how you obtain exit address information, you may need to take action to avoid service interruption. If you are using CollecTor or Onionoo, these interfaces will remain unchanged and are already compatible with the new setup. If you are using the DNS exit list service or the bulk exit list exporter then you may need to make changes.
### DNS exit list
The good news is that this service now behaves closer to a typical DNS-based list service and so it may be easier to integrate into your use-case now, and no longer require a custom implementation.
The old DNS exit list would have lookups that look like: <reverse client ip>.<server port>.<reverse server ip>.ip-port.exitlist.torproject.org
For services that are accessed via multiple IP addresses, e.g. IRC networks with multiple servers or websites behind load balancers, this leads to service operators needing to perform multiple lookups in order to have confidence that an IP address is not an exit relay. Instead, services can now use this simplified service: <reverse client ip>.dnsel.torproject.org, just like other DNS list services (https://en.wikipedia.org/wiki/Domain_Name_System-based_Blackhole_List ).
If a client IP address is a Tor exit relay, the service will return with an A record of 127.0.0.2. You'll also be able to look up a TXT record with the fingerprint of the relay to learn more about the individual relay. Note that some IP addresses are shared between multiple exit relays, they will still only have one A record but may have multiple TXT records, one for each fingerprint. If an IP address is not known in the Tor network, the response will contain a NXDOMAIN (no such domain) status.
For example:
------------------------------------------------------------------------ $ dig +noall +comments +answer 199.72.247.162.dnsel.torproject.org ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46707 199.72.247.162.dnsel.torproject.org. 1080 IN A 127.0.0.2 ------------------------------------------------------------------------ $ dig +noall +comments +answer 199.72.247.162.dnsel.torproject.org txt ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29451 199.72.247.162.dnsel.torproject.org. 1095 IN TXT "B34CC9056250847D1980F08285B01CF0B718C0B6" ------------------------------------------------------------------------ dig +noall +comments +answer 198.81.40.188.dnsel.torproject.org txt ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2678 ------------------------------------------------------------------------
*The old DNS exit list service will be turned off on the 1st April 2020. Please ensure you have updated to the new service before this time.*
### Bulk exit list changes
The bulk exit list exporter also used to consider exit policies, but will now return all exit relay IP addresses regardless of the query made. You should not need to make any modifications if you are using this service but you may find that you can remove some complexity from your client if you were filtering by service before. You can fetch a list of all exit IP addresses seen from:
https://check.torproject.org/torbulkexitlist
This list is updated at most once every 40 minutes depending on the number of exit relays in the network at the time, fetching it every hour would be reasonable.
Thanks, Iain.
tor-project@lists.torproject.org