Re: [tor-relays] Fwd: Your TOR relay
No attitude or hurt feelings. What's different from my servers compared to others? Probably nothing at all..this is just a hobby of mine. One would think if I wanted to collect information I would just run an exit node myself since I have the resources. For those that want an alternative no logging DNS: 172.98.193.42 162.248.241.94 For those that don't, No worries at all, we'll be here if you change your mind. :D Cheers! -Dennis https://www.linkedin.com/in/dennis-hannon-52236019/ +1 (585) 735-5996
Hi, I've realized the meaning of your "anonymous" DNS: I see you're also running two tor "exits". I write "exit" in inverted commas because you're only allowing port 53 open: 172.98.193.43 corresponds to https://atlas.torproject.org/#details/5E56738E7F97AA81DEEF59AF28494293DFBFCC... 162.248.241.94 does not correspond to a relay. You also have https://atlas.torproject.org/#details/A5DEC503F0345C6AEB9B268FE0A642BF603192... It's the same deal. In the latter I suspect this is a "private" resolver or something. Or maybe you just copied your torrc or something. Either way, this is really cryptic and odd. Opening port 53 only in your exit policy is not beneficial to the Tor network. Why can't you open more ports? I will thus say this: however you're thinking Tor works... it probably doesn't. Furthermore, I don't think you should be mixing the resolver and the exit in this way. I don't know what the particulars are but it seems like something that would be easy to mis-configure. As a result I think you're putting your users in danger, even if it's not actively intended to be malicious. Someone else might be concerned with how you've configured this resolver e.g. how does it handle DNSSEC? I don't think it is handling it. That's another topic, though. Finally: if someone decides to report these to Bad Exits, then I wouldn't blame them, frankly. Regards Dennis Emory Hannon:
On 08/07/2017 10:53 PM, Dennis Emory Hannon wrote:
I appreciate that it's a hobby project, and that's fine, but I choose my DNS providers carefully. ORSN, and your servers, probably are secure, but half the battle is the first impression and there are some improvements that could be made. First, you mentioned privately that your servers do not support DNSSEC. Please also consider adding support for DNSCurve so that DNS lookups are encrypted. Also, HTTPS on all the pages would be nice first step. https://orsn.org/ returns a self-signed cert. Consider looking into Let's Encrypt as there is now no financial hardships in acquiring an certificate. DNSSEC and/or DNSCurve would also go a long way in convincing Tor exit operators that BackplaneLLC deeply cares about privacy and security. Finally, as I mentioned privately, as you said that you added yourself to the ORSN Wikipedia article, please cite a source for this edit: https://en.wikipedia.org/w/index.php?title=Open_Root_Server_Network&type=rev... The current source of this information is http://www.orsn.org/en/tech/pubdns/, which lists backplanellc.com, yet your edit points states backplanedns.org, which is an entirely different website. I see that backplanellc.com does link to backplanedns.org and your name is listed in the Contact tab, but neither website uses HTTPS, so I have no way of confirming the accuracy of the information. -- Jesse
As a general comment I try and assume the best of everyone on the mailing list and the worst of everyone in actual practice... When offering sensitive anonymization services it's best to take the opposite view of yourself. Operate with the best intentions but seriously think about what harm you *could* do because everone else has to assume you're doing that unless you can provide strong proofs otherwise. In the case of a single person running DNS service en encouraging exit oepratiors to use them you create a significant single point of failure. Both by possible malicious activity on your part, simple misconfiguration, or just giving external actors an (arguably) more focused place to look. Just in general "everyone send your traffic through me" is a huge red flag no matter who you are. If Roger Dingledine walked into my office and sugeested to my face that all TOR DNS should go through a system I know he controlls that sits in my data center I'd take quite a bit of convincing because reputation != strong proof. So I appreciate your interest in solving a problem and actually take some action, but I'm not surprised it was poorly received. I do encourage you to apply a bit of the tecnical paranoia this list can supply and see if you can come up with ways to address them. I suspect some are insurmountable in theis context, but what fun is it if you only attack surmountable problems? -Jon On Mon, Aug 07, 2017 at 10:53:06PM -0400, Dennis Emory Hannon wrote: :No attitude or hurt feelings. What's different from my servers compared to :others? Probably nothing at all..this is just a hobby of mine. One would :think if I wanted to collect information I would just run an exit node :myself since I have the resources. : :For those that want an alternative no logging DNS: :172.98.193.42 : :162.248.241.94 : :For those that don't, :No worries at all, we'll be here if you change your mind. :D : : :Cheers! : :-Dennis : :https://www.linkedin.com/in/dennis-hannon-52236019/ :+1 (585) 735-5996 : :_______________________________________________ :tor-relays mailing list :tor-relays@lists.torproject.org :https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays --
participants (4)
-
Dennis Emory Hannon -
Duncan -
Jesse V -
Jonathan D. Proulx