Countering botnet traffic using DNS blocklists - tor-relays

6 Dec 2024


      Hi all,
Haven't posted in a while here, it's good to see that this list is still
going strong :)
I hope that some Tor Project employee can reply on list item 2 below.
I've been co-operating an exit relay for some four years now. My usual
response to abuse notifications is adding a reject rule to my ExitPolicy
that blocks outgoing traffic to the attacked IP address/subnet. I do this
mostly to prevent overhead for the volunteer abuse coordinators that operate
the network that my exit resides in, but also to "do something" (not much,
but at least something) for the attacked network.
Yesterday however, I received a notification from my government's proactive
security alerting service, notifying me of a botnet using my exit relay for
communication. Now, I both like the Tor Project and privacy in general, and
at the same time dislike botnets. And this made me think: what if I
configure my DNS resolution to block queries for known botnet C&C domains?
It would make it a bit harder to abuse the Tor network for botnet
communications, and save a bit of bandwidth for users that have a good faith
need for anonimity (you know, these users [1]).
[1] https://2019.www.torproject.org/about/torusers.html.en
Now, I'm aware there are a couple of downsides to this:
1. Starting to block things could be considered a slippery slope. First it's
   botnets, then it's piracy, then whatever else the government dislikes.
   I'm not too worried about this as long as I can choose what I block
   myself, and I already counter BitTorrent usage by using the well-known
   ReducedExitPolicy.
2. This old GitLab wiki page [2] lists a relay that is using a censored DNS
   provider as an example of a bad relay. It however doesn't provide a
   reason for this. If the DNS provider *only* blocks requests for known C&C
   domains, would that be okay?
[2]
https://gitlab.torproject.org/legacy/trac/-/wikis/doc/ReportingBadRelays#wha...
3. Obviously, the Unbound blocklist source or censoring DNS provider that
   would be used would gain some control over traffic on the Tor network.
   I'd say this is a tradeoff. If *only* C&C domains are blocked, I would be
   okay with this.
4. Potential legal issues. I know that in some jurisdictions (the U.S. I
   believe is a good example) setting up selective filtering makes the
   filter operator at least somewhat responsible for the traffic that passes
   through the filter. I'm not too worried about this at the moment. Both my
   exit relay and I are situated in the Netherlands.
What do you guys think? Do we accept DNS filtering for blocking botnet
traffic, or do we all cry censorship over this?
Cheers,
Imre