exit operators: overall DNS failure rate above 5% - please check your DNS
Dear Exit relay operators, (you are getting this email because you are a subscriber of the tor-relays mailing list or because you are among the top 10 affected parties - addressed via BCC to protect the address) first of all thanks for running exit relays! One of the crucial service that you provide in addition to forwarding TCP streams is DNS resolution for tor clients. Exits relays which fail to resolve hostnames are barely useful for tor clients. We noticed that lately the failure rates did increase again and would like to urge you to visit Arthur's "Tor Exit DNS Timeouts" page that shows you the DNS error rate for exit relays: https://arthuredelstein.net/exits/ (the page is usually updated once a day) Please consider checking your DNS if your exit relay consistently shows a non zero timeout rate - and make sure you run an up to date tor version. If you are an exit operator but have no (or no working) ContactInfo, please consider updating that field in your torrc so we can reach you if something is wrong with your relay. kind regards nusenu -- https://twitter.com/nusenu_
Would you make a recommendation of running unbound on the local exit nodes to resolve local DNS server congestion to get around this issue? Thanks, Conrad
On Oct 19, 2018, at 5:30 PM, nusenu <nusenu-lists@riseup.net> wrote:
Signed PGP part Dear Exit relay operators,
(you are getting this email because you are a subscriber of the tor-relays mailing list or because you are among the top 10 affected parties - addressed via BCC to protect the address)
first of all thanks for running exit relays!
One of the crucial service that you provide in addition to forwarding TCP streams is DNS resolution for tor clients. Exits relays which fail to resolve hostnames are barely useful for tor clients.
We noticed that lately the failure rates did increase again and would like to urge you to visit Arthur's "Tor Exit DNS Timeouts" page that shows you the DNS error rate for exit relays:
https://arthuredelstein.net/exits/ (the page is usually updated once a day)
Please consider checking your DNS if your exit relay consistently shows a non zero timeout rate - and make sure you run an up to date tor version.
If you are an exit operator but have no (or no working) ContactInfo, please consider updating that field in your torrc so we can reach you if something is wrong with your relay.
kind regards nusenu
The Tor relays guide in trac makes that recommendation. On Fri, Oct 19, 2018 at 11:07 PM Conrad Rockenhaus <conrad@rockenhaus.com> wrote:
Would you make a recommendation of running unbound on the local exit nodes to resolve local DNS server congestion to get around this issue?
Thanks,
Conrad
On Oct 19, 2018, at 5:30 PM, nusenu <nusenu-lists@riseup.net> wrote:
Signed PGP part Dear Exit relay operators,
(you are getting this email because you are a subscriber of the tor-relays mailing list or because you are among the top 10 affected parties - addressed via BCC to protect the address)
first of all thanks for running exit relays!
One of the crucial service that you provide in addition to forwarding TCP streams is DNS resolution for tor clients. Exits relays which fail to resolve hostnames are barely useful for tor clients.
We noticed that lately the failure rates did increase again and would like to urge you to visit Arthur's "Tor Exit DNS Timeouts" page that shows you the DNS error rate for exit relays:
https://arthuredelstein.net/exits/ (the page is usually updated once a day)
Please consider checking your DNS if your exit relay consistently shows a non zero timeout rate - and make sure you run an up to date tor version.
If you are an exit operator but have no (or no working) ContactInfo, please consider updating that field in your torrc so we can reach you if something is wrong with your relay.
kind regards nusenu
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
The Tor relays guide in trac makes that recommendation.
https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#DNSonExitRelays the guide has unbound examples but I tried to make clear that it is not the only option:
There are multiple options for DNS server software, unbound has become a popular one but feel free to use any other you are comfortable with. When choosing your DNS resolver software try to ensure it supports DNSSEC validation and QNAME minimisation ( RFC7816)
other popular DNS software like BIND didn't have RFC7816 support for long and I don't know if BIND supports RFC7706 (root zone on loopback) which is also nice to have but not as important as RFC7816. in anyway prio 1 should be reliability, if it fails 100% of queries, it does not matter what kind of software is used or what kind of protocol features are supported and enabled. -- https://twitter.com/nusenu_ https://mastodon.social/@nusenu
On 10/20/18 5:07 AM, Conrad Rockenhaus wrote:
Would you make a recommendation of running unbound on the local exit nodes to resolve local DNS server congestion to get around this issue? What about diversity? Running unbound at every Tor relay sounds like a bad idea.
-- Toralf PGP C4EACDDE 0076E94E
On 20.10.18 10:33, Toralf Förster wrote:
What about diversity? Running unbound at every Tor relay sounds like a bad idea.
Tor exits benefit from a caching, DNSSEC-capable resolver that is able to handle the required load. Dnsmasq does not handle a high connection count well. BIND9 and Unbound work fine, the latter being easier to setup in a role that suits Tor. -Ralph
participants (5)
-
Conrad Rockenhaus -
Nathaniel Suchy -
nusenu -
Ralph Seichter -
Toralf Förster