Boosting throughput with own DNS resolvers

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Recently I noticed my Tor Exit nodes were showing nameserver errors in the tor log and I decided to set up two private DNS resolvers (pdns-recursor). Since I use those I have seen an increase of traffic throughput on my Exit nodes to approx. 150%. I feel I am finally utilizing the resources available. All bigger Tor relay operators will probably already do it this way, but as I myself have long been using Google DNS or other privacy-aware DNS resolvers on my nodes I just wanted to throw this out in the open. How many of you are already using private DNS resolvers for your nodes? Any feedback/ideas about this? - -- Tim Semeijn Babylon Network pgp 0x5B8A4DDF -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJVrAzLAAoJEIZioqpbik3fmkcP/R5DXaKoVHUY6SjiSJi0n8ug 6NMF2KTXNP3f7vFbuzjWdqdo4Hfj2Zj6SyKc+i99/pJFiISQiGsMfeWjwdGGqaxR hlCNxYAsnV2kFd8UK435kOv2LclPFDMPjFk9OLr+DDQ8ZFmkpF80+95fqwzKaPr0 XtltMNBDxO8uCC4zsNYpT2BlO4EwhMTB5/79lNJ44MlWaSaPd6BAqoDfExyBjZfV v7bvQxqSNxF5jZvoNBRw1/t1jc8AXZF7UxkkR62ff7cBiQsDo16QK4sRcDTNRziM y5fm8Tt9W+19gsf0CNPo7lj7j/T7yHj3gClBi7TmhSxsIO7ylpeuX6L9hsAkzOJm o9TMgkO11T6h0e5EiCJh6P0ov21pqUJ61ScN/D0qiHVJC42UM/diGqVFgev3AT3u NImaA7IPUXvDC+Z+EQulnBP4XdIuukozU/4DJFF4x5tDhyTTXhCInrVsaMB4rOIU lLfQLZiCCC39uxIBs+xvS+rN1+wAVq4VH4Wbd5w4tH7e2Ic0BLBaI71z00RoTiF/ i8TK5IDP+gfykBemXtAcZeyyTkuzf6fFZg3NKfCPGbOqvpLEGEk26Mp8ANv+csTb HQXbmFtPX/SUhxm2zdMzA2uq8gzHOllxmEKriYyon499ZfCImbmBU+1kTKo+v2p7 lOMSGXcjkCVgAwtnZNKw =YekJ -----END PGP SIGNATURE-----

Tim Semeijn schreef op 19/07/15 om 22:47:
Recently I noticed my Tor Exit nodes were showing nameserver errors in the tor log and I decided to set up two private DNS resolvers (pdns-recursor). Since I use those I have seen an increase of traffic throughput on my Exit nodes to approx. 150%. I feel I am finally utilizing the resources available.
All bigger Tor relay operators will probably already do it this way, but as I myself have long been using Google DNS or other privacy-aware DNS resolvers on my nodes I just wanted to throw this out in the open.
How many of you are already using private DNS resolvers for your nodes? Any feedback/ideas about this?
- -- Tim Semeijn Babylon Network pgp 0x5B8A4DDF
All my exits run with pdns-recursor installed, because I don't want to be uploading people's DNS data to Google's search indexer :-) I applied some tweaks to Tor and pdns : * Disable DNS randomization (torrc: ServerDNSRandomizeCase 0) * Disable pdns packetcache (doesn't help much) and allow caching a LOT of records in the normal cache : # recursor.conf disable-packetcache max-cache-entries=3000000 max-cache-ttl=86400 * Tor's DNS logic is a bit nasty at times... Adding your DNS server to resolv.conf twice helps : # /etc/resolv.conf options timeout:3 nameserver 127.0.0.1 nameserver 127.0.0.2 Tom

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I will give running the pdns-recursor locally on the nodes a shot later the coming week. Probably can squeeze some more throughput out of it. Good tips/tweaks! On 7/19/15 10:52 PM, Tom van der Woerdt wrote:
Tim Semeijn schreef op 19/07/15 om 22:47:
Recently I noticed my Tor Exit nodes were showing nameserver errors in the tor log and I decided to set up two private DNS resolvers (pdns-recursor). Since I use those I have seen an increase of traffic throughput on my Exit nodes to approx. 150%. I feel I am finally utilizing the resources available.
All bigger Tor relay operators will probably already do it this way, but as I myself have long been using Google DNS or other privacy-aware DNS resolvers on my nodes I just wanted to throw this out in the open.
How many of you are already using private DNS resolvers for your nodes? Any feedback/ideas about this?
- -- Tim Semeijn Babylon Network pgp 0x5B8A4DDF
All my exits run with pdns-recursor installed, because I don't want to be uploading people's DNS data to Google's search indexer :-)
I applied some tweaks to Tor and pdns :
* Disable DNS randomization (torrc: ServerDNSRandomizeCase 0) * Disable pdns packetcache (doesn't help much) and allow caching a LOT of records in the normal cache :
# recursor.conf disable-packetcache max-cache-entries=3000000 max-cache-ttl=86400
* Tor's DNS logic is a bit nasty at times... Adding your DNS server to resolv.conf twice helps :
# /etc/resolv.conf options timeout:3 nameserver 127.0.0.1 nameserver 127.0.0.2
Tom
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
- -- Tim Semeijn Babylon Network pgp 0x5B8A4DDF -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJVrBDsAAoJEIZioqpbik3fCFUP/jMLYGf46KLNeIfWlXixoAhw /VLg5KGDNLat53+Xe/KOvNi0UOgQ1SLbq8S4T6tESVV4BsuvuudQEHUGSxCdTDC5 uh1HRd+HkXMqPearc75S7LSgP5rTs6kINlJWP0SSrNa14+c1K3dqK58NxNhd2TlC X7AU/Vn5+UG4wB95hzVYmb31IPjWod2MMlTKtKroQX36ueLODQXwk7Bx6AtFWSBl rkE8PNsP7O3DZP0pDaczF5u4STr5iOwpYnY7Z/XyJoj3MmGX/qCuWG2WZq2b6ehX qcwPmnkOBlz6JrJODvW8Bhm0b/+esZokb848Avu77yyX1KakY57f+tJIbeOR3YWZ aANrstfZuWxRu72knyHHhh6e58I45cjy8MmBzv0HxS7HXWvQW8dw+1eEtytjECOQ OepWAV/qlo+5BRAg0U8D9bKXQPv4XBLKXR3JqlFO7lIEUYknaijqd9uLH4Yj8dEC 3Z3rcSr8Co1aAjzzAJWMM+Z/mH3D9TmCmJ0srLmt3ERY1zQGCwlUoByDRFGPg4kU jI3gvjl1YWGnSC6+P5oc8AeA6bdeJq8ZqbhB2ITVJ5Dw/C/jvi7mx+gWvZaWkRx7 MaF+qcD/jVSXmwdeiXUEJQV8R2EDIeEkkEpQ2KCJKdJlwDsogG9qvwKXrhDwHc85 B1+sQ+MdWn+cC8z83lMv =V+zF -----END PGP SIGNATURE-----

On Sun, 19 Jul 2015 13:52:32 -0700, Tom van der Woerdt <info@tvdw.eu> wrote:
All my exits run with pdns-recursor installed, because I don't want to be uploading people's DNS data to Google's search indexer :-)
How does pdns-recursor stack up against unbound chained with dnscrypt-proxy? I've been running the latter but this is the first I've heard of using pdns on an exit node. The pdns + Tor configuration tweaks were very helpful, thanks.

Seth schreef op 20/07/15 om 15:27:
On Sun, 19 Jul 2015 13:52:32 -0700, Tom van der Woerdt <info@tvdw.eu> wrote:
All my exits run with pdns-recursor installed, because I don't want to be uploading people's DNS data to Google's search indexer :-)
How does pdns-recursor stack up against unbound chained with dnscrypt-proxy?
I've been running the latter but this is the first I've heard of using pdns on an exit node.
The pdns + Tor configuration tweaks were very helpful, thanks.
Well, there's a big difference between proxying DNS and running a recursor. With the proxy you're still trusting a third party with all your DNS data, with a recursor that's not the case. Tom

How does pdns-recursor stack up against unbound chained with dnscrypt-proxy?
With the proxy you're still trusting a third party with all your DNS data, with a recursor that's not the case.
All the DNS plaintext is being passively tapped on the wire anyways. At least with a local resolver you're not also actively shoveling it all to a remote third party recursion service.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 07/19/2015 10:47 PM, Tim Semeijn wrote:
All bigger Tor relay operators will probably already do it this way,
Hhm, I just used dnsmasq here, isn't that enough ? If not: where is a preferred /best practise solution documented in the WIKI ? - -- Toralf, pgp key: 872AE508 0076E94E -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlWsEygACgkQxOrN3gB26U7FuAD/enOk5x7y2WgD3PsXW5sK9VR6 CTEwOXbDlBW64B1fBSgA/2NvJ0qEXKo4K7OpDV5puYWWrV8PBiQeieb3xlKT3dZZ =wQWZ -----END PGP SIGNATURE-----
participants (5)
-
grarpamp
-
Seth
-
Tim Semeijn
-
Tom van der Woerdt
-
Toralf Förster