That was my bug report, thanks for the quick turnaround on that one :3 My problem was that my infrastructure, including that tor exit node, is puppetized. But a problem with that resulted in dhcp blitzing /etc/resolv.conf and I kept putting in google dns out of sheer muscle memory and I simply forgot to put it back. It is pretty easy. This is the relevant configuration snippet from my puppet manifest: # setup internal DNS cache / resolver include bind bind::server::conf { '/etc/bind/named.conf': directory => '/etc/bind', listen_on_addr => [ 'any' ], listen_on_v6_addr => [ 'any' ], forwarders => [ '2001:4860:4860::8844', '2001:1608:10:25::1c04:b12f', '2600::1' ], allow_query => [ 'any' ], statistics_file => '/etc/bind/named.stats', recursion => 'yes', extra_options => { 'forward' => 'only', 'auth-nxdomain' => 'no', } } + some other symlinks to account for the fact this isn't a RHEL box like the module implicitly assumes. I even have DNSSEC query validation setup, as the forwarders seem to support it. Now I have named caching again. For those who are unclear, it helps a LOT. From rndc stats: ++ Cache Statistics ++ [View: default] 53446329 cache hits 5246190 cache misses 15049168 cache hits (from query) 3044495 cache misses (from query) The exit node in question sits between 10 and 20mb/s continuously, and goes through a crazy amount of traffic. Something like 50T last month. I even threw on a squid proxy on regular http and that's caching something like 5-10% of all requests and overall http bandwidth. Where it gets interesting is now that I've moved all of my DNS traffic into a native ipv6 stack (outside of v4 local queries), I can say that all the udp traffic I get is not legitimate/requested. Which is looking to be a lot of traffic. I got dinged with a nice udp DDoS the other day, and now its' even more clear about what traffic is bad on tcpdump. On Thu, Jan 8, 2015 at 9:04 AM, Nick Mathewson <nickm@freehaven.net> wrote:
Hi, all!
While looking into a bug report, I noticed that an exit node was using one of Google's well-known public DNS servers for its own DNS server.
No disrespect to the operators of Google's fine public DNS service, but my sense is that using it for a Tor exit node might not be the greatest idea for users' privacy, having one DNS provider that gets to see so many requests. It's probably a better idea to have your own local cacheing DNS server.
Would anybody like to share a guide about how to set one of those up safely and migrate correctly?
best wishes, -- Nick _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays