Changes to the Tor Exit List service - tor-project

9 Mar 2020


      Hi,
We will shortly be decommissioning the server that ran TorDNSEL and Tor
Check until now. The TorDNSEL software will be replaced on the new
server with software we will be able to more easily maintain going
forward. Service operators using the Tor Exit List service may need to
take action to avoid service interruption, details are contained later
in this post.
## For exit relay operators:
The primary change that comes with the new software is that exit
policies are no longer considered when deciding if an IP address is to
be included in the list. If we have observed an exit relay using an IP
address through our active measurements, this will be listed as an exit
relay in the new service regardless of the exit policy.
For exit relay operators that also route their own traffic via their
exit relay's IP address and have exit policies specifically to deny
access to services that block Tor traffic, such that those services will
allow you to connect without Tor, this will no longer work. We recommend
using a dedicated IP address for your exit relay. That allows your ISP
to more easily recognize that abuse complaints and DMCA notices can be
forwarded to you to be quickly responded to with a boilerplate response,
as opposed to cutting off your Internet access or providing your
personal information to the copyright cartels.
## For service operators:
Depending on how you obtain exit address information, you may need to
take action to avoid service interruption. If you are using CollecTor or
Onionoo, these interfaces will remain unchanged and are already
compatible with the new setup. If you are using the DNS exit list
service or the bulk exit list exporter then you may need to make changes.
### DNS exit list
The good news is that this service now behaves closer to a typical
DNS-based list service and so it may be easier to integrate into your
use-case now, and no longer require a custom implementation.
The old DNS exit list would have lookups that look like: <reverse client
ip>.<server port>.<reverse server ip>.ip-port.exitlist.torproject.org
For services that are accessed via multiple IP addresses, e.g. IRC
networks with multiple servers or websites behind load balancers, this
leads to service operators needing to perform multiple lookups in order
to have confidence that an IP address is not an exit relay. Instead,
services can now use this simplified service: <reverse client
ip>.dnsel.torproject.org, just like other DNS list services
(https://en.wikipedia.org/wiki/Domain_Name_System-based_Blackhole_List ).
If a client IP address is a Tor exit relay, the service will return with
an A record of 127.0.0.2. You'll also be able to look up a TXT record
with the fingerprint of the relay to learn more about the individual
relay. Note that some IP addresses are shared between multiple exit
relays, they will still only have one A record but may have multiple TXT
records, one for each fingerprint. If an IP address is not known in the
Tor network, the response will contain a NXDOMAIN (no such domain) status.
For example:
------------------------------------------------------------------------
$ dig +noall +comments +answer 199.72.247.162.dnsel.torproject.org
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46707
199.72.247.162.dnsel.torproject.org. 1080 IN A        127.0.0.2
------------------------------------------------------------------------
$ dig +noall +comments +answer 199.72.247.162.dnsel.torproject.org txt
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29451
199.72.247.162.dnsel.torproject.org. 1095 IN TXT
"B34CC9056250847D1980F08285B01CF0B718C0B6"
------------------------------------------------------------------------
dig +noall +comments +answer 198.81.40.188.dnsel.torproject.org txt
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2678
------------------------------------------------------------------------
*The old DNS exit list service will be turned off on the 1st April 2020.
Please ensure you have updated to the new service before this time.*
### Bulk exit list changes
The bulk exit list exporter also used to consider exit policies, but
will now return all exit relay IP addresses regardless of the query
made. You should not need to make any modifications if you are using
this service but you may find that you can remove some complexity from
your client if you were filtering by service before. You can fetch a
list of all exit IP addresses seen from:
https://check.torproject.org/torbulkexitlist
This list is updated at most once every 40 minutes depending on the
number of exit relays in the network at the time, fetching it every hour
would be reasonable.
Thanks,
Iain.