dns request capitalization, tor and unbound
Hey, I recently started running my first two exit relays. Since it was mentioned on the mailing list a while back and seem like a reasonable thing to do, I installed and configured unbound. Afterwards, I noticed that most if not all the DNS request are randomly capitalized. Does this impact unbound's caching ability? My cache hit/miss ratio is around 1/5. What is the reason for changing the capitalization? Best regards ajs124
On Sun, Jul 3, 2016 at 9:25 AM, ajs124 <tor@ajs124.de> wrote:
Afterwards, I noticed that most if not all the DNS request are randomly capitalized. Does this impact unbound's caching ability? My cache hit/miss ratio is around 1/5.
This is "0x20 encoding", see https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00 https://isc.sans.edu/diary/Use+of+Mixed+Case+DNS+Queries/12418 and https://dyn.com/blog/use-of-bit-0x20-in-dns-labels/ . It makes it harder for a MITM to spoof DNS responses. It shouldn't affect unbound's ability to cache anything. However, I personally think it is inappropriate to run a DNS cache on an exit node, because that preserves a record on the exit node of what people are using it for. zw
Op 03/07/16 om 15:51 schreef Zack Weinberg:
On Sun, Jul 3, 2016 at 9:25 AM, ajs124 <tor@ajs124.de> wrote:
Afterwards, I noticed that most if not all the DNS request are randomly capitalized. Does this impact unbound's caching ability? My cache hit/miss ratio is around 1/5.
This is "0x20 encoding", see https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00 https://isc.sans.edu/diary/Use+of+Mixed+Case+DNS+Queries/12418 and https://dyn.com/blog/use-of-bit-0x20-in-dns-labels/ . It makes it harder for a MITM to spoof DNS responses.
It shouldn't affect unbound's ability to cache anything. However, I personally think it is inappropriate to run a DNS cache on an exit node, because that preserves a record on the exit node of what people are using it for.
zw
Without a cache, every connection takes a second longer to open. Unless you send all DNS requests to Google, but I don't think that's ideal either. In-memory caching of DNS is simply needed for Tor to work properly (and besides, Tor has its own DNS cache as well). Tom
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 07/03/2016 03:51 PM, Zack Weinberg wrote:
However, I personally think it is inappropriate to run a DNS cache on an exit node, because that preserves a record on the exit node of what people are using it for. IMO both statement aren't correct.
- -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAld5GxYACgkQxOrN3gB26U659QD+PxQmx+KWPO64YBD5GnLxi43l UIcOxiahp/geKv7vv5gA/jWoSUA6k+Vx4lpLPeYqCSMj3kgpCbpIdaMpID+quxRw =yHDD -----END PGP SIGNATURE-----
On Sun, Jul 03, 2016 at 09:51:43AM -0400, Zack Weinberg wrote:
However, I personally think it is inappropriate to run a DNS cache on an exit node, because that preserves a record on the exit node of what people are using it for.
Are you concerned about the DNS cache logging to disk, or about its in-memory data? I would assume the former can be fixed by disabling logging.
It shouldn't affect unbound's ability to cache anything. However, I personally think it is inappropriate to run a DNS cache on an exit node, because that preserves a record on the exit node of what people are using it for.
zw Hey, I'm not an Unbound expert, I think Unbound doesn't log any DNS queries...? What I know is only statistics can be given with the command "unbound-control stats", only numbers are shown. In my unbound.conf, the only log config lines are : logfile: "/var/log/unbound.log" use-syslog: no
And this /var/log/unbound.log doesn't exist on my system... Is there way to see DNS queries made by users ? For me, about privacy, it's not necessary a problem about "knowing what are doing your Tor users", because if it's not you, it will be your DNS resolvers... As read before, a lot of Tor exists are using Google DNS :p (I think it's lol about privacy!) So the bad guy will know the DNS queries, but he doesn't know who has made it (only exit IP is shown ?), so privacy is safe ? -- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
That's my thought as well. At any rate, not using a cache for DNS queries would add even more latency to the network. On Jul 9, 2016 10:01 AM, "Petrusko" <petrusko@riseup.net> wrote:
It shouldn't affect unbound's ability to cache anything. However, I personally think it is inappropriate to run a DNS cache on an exit node, because that preserves a record on the exit node of what people are using it for.
zw
Hey, I'm not an Unbound expert, I think Unbound doesn't log any DNS queries...? What I know is only statistics can be given with the command "unbound-control stats", only numbers are shown. In my unbound.conf, the only log config lines are : logfile: "/var/log/unbound.log" use-syslog: no
And this /var/log/unbound.log doesn't exist on my system... Is there way to see DNS queries made by users ?
For me, about privacy, it's not necessary a problem about "knowing what are doing your Tor users", because if it's not you, it will be your DNS resolvers... As read before, a lot of Tor exists are using Google DNS :p (I think it's lol about privacy!) So the bad guy will know the DNS queries, but he doesn't know who has made it (only exit IP is shown ?), so privacy is safe ?
-- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
participants (7)
-
ajs124 -
Petrusko -
Philipp Winter -
Tom van der Woerdt -
Toralf Förster -
Tristan -
Zack Weinberg