Hi! forest-relay-contact--- via tor-relays:
Hello.
I contacted an exit operator who had BadExit flags on the same host that I run an exit on and we discussed possible reasons for this. Eventually, we jointly set up a new relay on that host and I configured it exactly as I had configured my own relay, and it still obtained the BadExit flag. So far, these are the exact steps I took to configure it:
- Unbound is configured to use a second, clean IPv4 - sysctls are tweaked to ensure conntrack does not drop connections - torrc is configured with safe, sensible exit defaults
And it still obtained a BadExit flag. We had discussed whether there was a possibility that his family was "tainted" and somehow the BadExit flag was being applied to new exits on his relay family, but starting up a new relay unrelated to his did not help. We tried disabling Unbound and instead using a popular upstream DNS resolver, but that did not prevent a BadExit from being issued either.
What other troubleshooting steps are suggested? The provider does not censor or block anything, and I have been successfully running an exit on their infrastructure for more than a month, but when he sets one up, even if he configures it identically to the way I configure mine, it receives a BadExit flag within a matter of days.
The criteria for issuing the BadExit flag do not seem very clear. Since it is not a flag intended to be issued to malicious exits, I would like to understand the exact criteria for being issued a BadExit, beyond the vague explanations that I can find on the Gitlab. Note that I am only asking about the automated flag, not about the (potentially sensitive) policies behind determining whether or not a relay is malicious and should be manually excluded from the consensus.
You did not provide a fingerprint, so it's a bit hard to talk about the specific case and maybe that's fine for your purposes anyway. There are two ways this flag can show up. The first one is when it is explicitly requested. Nowadays, this often happens when we find exit relays with DNS resolution issues, which seems to be an easily fixable misconfiguration. The second one is when the relay is supposed to be in a middleonly position as providing a BadExit flag was a convenient method to cover the "do-not-use-the-relay-at-an-exit-position"-part in that scenario. You can see the differences between both mentioned above on relay-search as the second case has a middleonly flag symbol in the flags column as well. Not sure if that answers your question, but I hope. Georg
Regards, forest _______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org