Don't use Google's DNS server

I created a new diagram that illustrates the popularity of DNS resolvers used by exit relays. The diagram shows nine autonomous systems that hosted the most popular resolvers at some point over the last months. These autonomous systems are owned by Google, INIT7, LeaseWeb, Visual Online, OVH, OpenDNS, NForce Entertainment, Cyberdyne, and Level3. The x axis shows time and the y axis shows the fraction of DNS requests that the respective AS can observe: <https://nymity.ch/dns-traffic-correlation/img/exit-resolvers-2015-05.png> The two most popular setups are Google's 8.8.8.8 and local resolvers, i.e., exit relays doing their own resolution. Occasionally, Google got to see more than 40% of all DNS requests exiting the Tor network. That is concerning, particularly given Google's role in the PRISM program. No other autonomous system is getting even close. Please refrain from using 8.8.8.8. Instead, set up your own resolver, or at least use the one provided by your ISP. Here's Peter's quick guide on how to set up your own resolvers [1]: On Thu, Jan 08, 2015 at 04:11:09PM +0100, Peter Palfrader wrote:
o apt-get install unbound o remove all nameserver entries in /etc/resolv.conf and add one for the local recursor. Either manually or use (untested): sed -i -e 's/^nameserver /#&/; $a nameserver 127.0.0.1' /etc/resolv.conf o prevent anything else from modifying that file ever again: chattr +i /etc/resolv.conf
Note that running your own resolver is not universally safer because the exposure of DNS requests to network adversaries is greater. It's a tricky trade-off that we are currently trying to understand better [2], but increased exposure to network-level adversaries seems less bad than having Google see almost half of all DNS requests. If you are wondering how I created the above diagram, have a look at the measurement method [3]. [1] <https://lists.torproject.org/pipermail/tor-relays/2015-January/006147.html> [2] <https://nymity.ch/dns-traffic-correlation/> [3] <https://lists.torproject.org/pipermail/metrics-team/2016-February/000078.html> Cheers, Philipp

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/15/2016 08:37 PM, Philipp Winter wrote:
. Instead, set up your own resolver, or at least use the one provided by your ISP.
Just to double ensure, using a local dnsmasq is one of the possible solutions, right ? - -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlc4yFUACgkQxOrN3gB26U4nZAD/WAt9WEXTePImYI534A0iD8ZE iCHr9S8IpYQj0Yhp0V4A/j3Umo/v1LcAdtvhzlpiDhR34zD92PMq1uETT42xi5HS =w4a+ -----END PGP SIGNATURE-----

On Sun, May 15, 2016 at 09:04:53PM +0200, Toralf Förster wrote:
On 05/15/2016 08:37 PM, Philipp Winter wrote:
. Instead, set up your own resolver, or at least use the one provided by your ISP.
Just to double ensure, using a local dnsmasq is one of the possible solutions, right ?
Dnsmasq is just a DNS forwarder, no? If so, it depends on where it forwards DNS requests to. It might just forward all its requests to Google. Cheers, Philipp

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/16/2016 03:40 PM, Philipp Winter wrote:
Dnsmasq is just a DNS forwarder, no? well, it has a cache too (but limited to 5000 entries as I learnt yesterday). It uses the resolver defined in /etc/rsolv.conf - which do point to my ISP DNS only. But yes, even with 5,000 liens in the cache I do have:
queries forwarded 143488, queries answered locally 29384 So it acts at a fast exit relay effectively rather as a forwarder than as a resolver. - -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlc50WcACgkQxOrN3gB26U4PlAEAgm/OQVbIfaO1thkJSFhym02E 5ubVXqOy1tIX0Fh1RQMA/0+ikke8eND+Re5aanORmdFe9wfzpYTTzbrKRxUvke0y =MZZe -----END PGP SIGNATURE-----

Hey, The package Unbound can be nice ? I'm using it on the LAN... My Unbound set up is using the root.hints, so I think it's always and only speaking with those root DNS servers... But I've read on some tutorials, ISP and others "men-in-the-middle" can intercept DNS queries, and answer to your server... so this solution can't be 100% secure, like any DNS solution. Here, Unbound is set up to speak only with root DNS servers: apt-get install unbound cd /etc/unbound -download the root.hints file: wget ftp://ftp.internic.net/domain/named.cache -O /etc/unbound/root.hints -generate TLS keys (dnssec): unbound-control-setup -change owner + rights : chown unbound:root unbound_* chmod 440 unbound_* -add the line to use root.hints file: nano /etc/unbound/unbound.conf root-hints: "/etc/unbound/root.hints" -if you want to check your config file: unbound-checkconf /etc/unbound/unbound.conf -verify in the /etc/resolv.conf file (already said, but always check another time!): nameserver 127.0.0.1 I hope this helps, and my configuration is ok?! And don't know if Unbound is ready for an exit node? (performance) I'm only using it on some little LAN without any issues. Le 15/05/2016 20:37, Philipp Winter a écrit :
I created a new diagram that illustrates the popularity of DNS resolvers used by exit relays. The diagram shows nine autonomous systems that hosted the most popular resolvers at some point over the last months. These autonomous systems are owned by Google, INIT7, LeaseWeb, Visual Online, OVH, OpenDNS, NForce Entertainment, Cyberdyne, and Level3. The x axis shows time and the y axis shows the fraction of DNS requests that the respective AS can observe: <https://nymity.ch/dns-traffic-correlation/img/exit-resolvers-2015-05.png>
The two most popular setups are Google's 8.8.8.8 and local resolvers, i.e., exit relays doing their own resolution. Occasionally, Google got to see more than 40% of all DNS requests exiting the Tor network. That is concerning, particularly given Google's role in the PRISM program. No other autonomous system is getting even close.
Please refrain from using 8.8.8.8. Instead, set up your own resolver, or at least use the one provided by your ISP. Here's Peter's quick guide on how to set up your own resolvers [1]:
On Thu, Jan 08, 2015 at 04:11:09PM +0100, Peter Palfrader wrote:
o apt-get install unbound o remove all nameserver entries in /etc/resolv.conf and add one for the local recursor. Either manually or use (untested): sed -i -e 's/^nameserver /#&/; $a nameserver 127.0.0.1' /etc/resolv.conf o prevent anything else from modifying that file ever again: chattr +i /etc/resolv.conf
Note that running your own resolver is not universally safer because the exposure of DNS requests to network adversaries is greater. It's a tricky trade-off that we are currently trying to understand better [2], but increased exposure to network-level adversaries seems less bad than having Google see almost half of all DNS requests.
If you are wondering how I created the above diagram, have a look at the measurement method [3].
[1] <https://lists.torproject.org/pipermail/tor-relays/2015-January/006147.html> [2] <https://nymity.ch/dns-traffic-correlation/> [3] <https://lists.torproject.org/pipermail/metrics-team/2016-February/000078.html>
Cheers, Philipp _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5

On 05/16/2016 05:11 PM, Petrusko wrote:
But I've read on some tutorials, ISP and others "men-in-the-middle" can intercept DNS queries, and answer to your server... so this solution can't be 100% secure, like any DNS solution.
Not if you're using DNSSEC, but querying DNS root servers is slow. https://www.dnscrypt.org/ can also be useful for preventing interception. -- Jesse V

Nice software. But you have to trust the public/open DNSCrypt resolvers ? Or may be it's possible to build your own resolver, but it has to resolve DNS queries with DNS roots servers, or another DNS resolver you will trust? Humm, the cat chasing its tail Le 17/05/2016 01:51, Jesse V a écrit :
On 05/16/2016 05:11 PM, Petrusko wrote:
But I've read on some tutorials, ISP and others "men-in-the-middle" can intercept DNS queries, and answer to your server... so this solution can't be 100% secure, like any DNS solution.
Not if you're using DNSSEC, but querying DNS root servers is slow. https://www.dnscrypt.org/ can also be useful for preventing interception.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Tue, 17 May 2016 10:20:24 +0200 Petrusko <petrusko@riseup.net> wrote:
Or may be it's possible to build your own resolver, but it has to resolve DNS queries with DNS roots servers, or another DNS resolver you will trust?
That's easy enough to do. You can set up BIND, DJBDNS, MaraDNS, or what have you as a resolver, make sure that it's notion of the root DNSes is up to date (easy enough to do with a shell script), and set your /etc/resolv.conf file to point to 127.0.0.1. - -- The Doctor [412/724/301/703/415] [ZS] PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ IHOP: The world's largest, most popular goth club. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJXO7JYAAoJED1np1pUQ8Rk3v8P/Rn/mVOmOzSz2IHyu0iOjmLc C8jb63gZ46A2Rx5SY68PgeuXxZhEfzbMMqKPnnbpGI8OKl8FF40DNXm/QjobfF/g JhMC995UuWfMnXXiMccHRppM2XZLEjuDE14S47F3PjZPoPItEPm4RrqjB2PghJwL FUOONXqyprv0ZfQPHtTecW5adXR77gZI/FDjnY62mSsPLFEUEk0+YR8qZVKyeNZF 4QryQAzg0DGjUZuPh8mY9N3TYJP2OW+in9kbTaelaR+CDHmq4LEXLnOplak0tYzr 8YlogRabBcw0UVwvqt4a9BqfvMwgjy/sWBZlKa0y8WTwffAs4TrA+logp8Xy1eYH mbnBzM2qLh3CwNDGyi7LUHwx8hgyIz2MvuQ+x1psbtmCWtqd0kuWqX7jzZSUPzNt nWo98yr2nevtbbgevycQ0ZGbQ//V/7h+zC+oMdvjK5E5pw9UkpnCJ7b5AavtDT2u wkFc+g0mcI7aVrvVMhI2K8fNNZz+Tu0pX8EFmMeVJSKetvkw93gQC7qCxCeVxM4c 7DGsLyfRsBl09EpXTyzO+g/v+it7BK3Dhpy2CuqgPV3nyI/VfsbQbm6uYAB6F41m MgKqfTJXOwIzFMZ2/IDgVJ5Qm6EyjNhse4toocVoPVIi7zDc0OyEDegRyZ5k91g8 dVrgoV72NxN8lbWLW+4r =fJsm -----END PGP SIGNATURE-----

On Tue, 17 May 2016 10:20:24 +0200 Petrusko <petrusko@riseup.net> wrote:
Or may be it's possible to build your own resolver, but it has to resolve DNS queries with DNS roots servers, or another DNS resolver you will trust? A suggestion from my side would be to use the roots of orsn ( https://www.orsn.org/en/ ) instead of the "official" ones. I personally have good experiences with them since 2013.
Best regards! F

phw released some scan data. If you run an exit and find your relay fingerprint next to a Google AS name on the list linked below you might want to change your DNS server settings. Note this list is based on data from May 2016 (so it does not necessarily represent the current situation). https://gist.githubusercontent.com/nusenu/3b346031a88fb24d0e8b662f3e13697e/r...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 07/28/2016 07:50 PM, nusenu wrote:
If you run an exit and find your relay fingerprint next to a Google AS If only a subset from the whole list is meant it would be helpful to provide an appropriate subset of that file for the purpose of this email (topic) IMO.
- -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAleaSA4ACgkQxOrN3gB26U594wD+PP/E9d5yh35mbcP6b72jFFgx THk4+5tznWPW8JQmYw4BAIY7B8q6435LSlm8Z0KpdQiz6v2eVnG5R5nFqZnQsduV =jefL -----END PGP SIGNATURE-----

I really wish VPS services wouldn't use Google DNS by default. If not for this e-mail, I would have been on Google's DNS for a while before I found out. Maybe the Tor devs could add a warning if an exit is using Google DNS? Would that be acceptable? On Thu, Jul 28, 2016 at 12:59 PM, Toralf Förster <toralf.foerster@gmx.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 07/28/2016 07:50 PM, nusenu wrote:
If you run an exit and find your relay fingerprint next to a Google AS If only a subset from the whole list is meant it would be helpful to provide an appropriate subset of that file for the purpose of this email (topic) IMO.
- -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iF4EAREIAAYFAleaSA4ACgkQxOrN3gB26U594wD+PP/E9d5yh35mbcP6b72jFFgx THk4+5tznWPW8JQmYw4BAIY7B8q6435LSlm8Z0KpdQiz6v2eVnG5R5nFqZnQsduV =jefL -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Finding information, passing it along. ~SuperSluether

On Thu, Jul 28, 2016 at 2:34 PM, Tristan <supersluether@gmail.com> wrote:
I really wish VPS services wouldn't use Google DNS by default. If not for this e-mail, I would have been on Google's DNS for a while before I found out.
I actually haven't seen that before, what VPS provider do you use? ----------------------------------------------------------------------------------------------- -ITG (ITechGeek) | ITG@ITechGeek.Com <https://itg.nu/> https://keybase.io/itechgeek | https://itg.nu/ Google Voice: +1-703-493-0128 / Twitter: ITechGeek / Facebook: http://fb.me/Jbwa.Net

Right now I'm using Digital Ocean, but my previous provider experiences Hostwinds and Pulse (OVH) also have Google DNS as the default. On Thu, Jul 28, 2016 at 1:50 PM, ITechGeek <ITG@itechgeek.com> wrote:
On Thu, Jul 28, 2016 at 2:34 PM, Tristan <supersluether@gmail.com> wrote:
I really wish VPS services wouldn't use Google DNS by default. If not for this e-mail, I would have been on Google's DNS for a while before I found out.
I actually haven't seen that before, what VPS provider do you use?
----------------------------------------------------------------------------------------------- -ITG (ITechGeek) | ITG@ITechGeek.Com <https://itg.nu/> https://keybase.io/itechgeek | https://itg.nu/ Google Voice: +1-703-493-0128 / Twitter: ITechGeek / Facebook: http://fb.me/Jbwa.Net
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Finding information, passing it along. ~SuperSluether

On July 28, 2016 2:50:40 PM EDT, ITechGeek <ITG@itechgeek.com> wrote:
On Thu, Jul 28, 2016 at 2:34 PM, Tristan <supersluether@gmail.com> wrote:
I really wish VPS services wouldn't use Google DNS by default. If not for this e-mail, I would have been on Google's DNS for a while before I found out.
I actually haven't seen that before, what VPS provider do you use?
Many, many of the super-cheap low end VPS providers (e.g. lowendbox.com) just use Google DNS. Most of these providers are very tor-intolerant, however, and will terminate your server at the first abuse notice. --Sean

Pulse (OVH) is already over-used in the Tor network, and very tolerant. Hostwinds seemed to be fine with it as long as I responded to abuses quickly. I haven't gotten any abuse on DigitalOcean yet, but they are very clear that YOU are responsible for any and all abuses. Not sure how far they'll go before they terminate you. On Fri, Jul 29, 2016 at 11:04 AM, Sean Greenslade <sean@seangreenslade.com> wrote:
On July 28, 2016 2:50:40 PM EDT, ITechGeek <ITG@itechgeek.com> wrote:
On Thu, Jul 28, 2016 at 2:34 PM, Tristan <supersluether@gmail.com> wrote:
I really wish VPS services wouldn't use Google DNS by default. If not for this e-mail, I would have been on Google's DNS for a while before I found out.
I actually haven't seen that before, what VPS provider do you use?
Many, many of the super-cheap low end VPS providers (e.g. lowendbox.com) just use Google DNS. Most of these providers are very tor-intolerant, however, and will terminate your server at the first abuse notice.
--Sean
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Finding information, passing it along. ~SuperSluether
participants (10)
-
cyb3rwr3ck
-
ITechGeek
-
Jesse V
-
nusenu
-
Petrusko
-
Philipp Winter
-
Sean Greenslade
-
The Doctor
-
Toralf Förster
-
Tristan