On 18 Aug 2016, at 15:46, Andrew Deason adeason@dson.org wrote:
On Wed, 17 Aug 2016 12:23:15 +1000 teor teor2345-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
Has anyone checked if the logs on other resolvers (like unbound) have the same issue?
On my exit running unbound, I haven't seen any messages from unbound beyond the startup/shutdown messages for the past several weeks, but maybe I just haven't gotten the right errors. I didn't see anything in the code that looked like logging requested names, but I only took a quick glance. The default verbosity seems kinda low, but of course that's no guarantee.
What kind of resolution errors are you talking about? Plain NXDOMAIN failures, failing to reach nameservers, DNSSEC failed signatures, or anything else?
I'm not sure if NXDOMAIN was showing up in the BIND logs by default or not. But the rest were, as were reducing packet sizes to 512 bytes (BIND's edns-disabled).
Do you know of any domains handy that could be used to test the relevant failure cases? (e.g. a dns entry that points to an unreachable server, or results in an invalid DNSSEC response, etc.) That would make it easy for exit operators to test what happens and take out some guesswork.
I don't have a record of those domains any more, and I can't turn logging back on. However, any domain which doesn't have name servers, or has broken DNSSEC, was being logged by default by BIND.
I was seeing a few domains logged every few minutes with BIND's default logging, on an exit running at 5 - 10 MBytes per second. So if you're not seeing them in a day of log entries, you're probably safe.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org