Hi,
When I set up a Tor Exit, I set up a local resolver (BIND) as a cache. Today, I was monitoring the syslog, and I noticed that BIND logs DNS names when resolution fails. (I have since removed these entries from the logs.)
One way to prevent this is to disable logging on BIND entirely:
logging { category default { null; }; };
Another is to isolate the categories that log DNS names, and disable them individually:
logging { // these categories log DNS names category dnssec { null; }; category edns-disabled { null; }; category lame-servers { null; }; category resolver { null; }; category security { null; }; // also ignore uncategorised log messages category unmatched { null; }; };
I've updated the Tor wiki page on BIND with this configuration: https://trac.torproject.org/projects/tor/wiki/doc/BIND
Does anyone know how to work out all the BIND categories that log DNS names? (All of the documentation I found online was helping people log *every* DNS query.)
Or is it safer just to log a few essential categories? (Can anyone recommend any?)
Has anyone checked if the logs on other resolvers (like unbound) have the same issue?
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org
On 8/16/16, teor teor2345@gmail.com wrote:
Or is it safer just to log a few essential categories? (Can anyone recommend any?)
Once properly set up and tested, DNS just works, only maintenance being updating root zone or keys whenever. You might be interested in aggregated stats logs it emits, memory, queries per sec, query types, that sort of thing. There's a config section for that and it's clean. For tor, mostly just test that it's up and running, no risk of disclosure there.
I couldn't find the default config for Unbound when I installed it, so I just used the example file. Logging is disabled by default in this file. Unbound has a setting for "log-queries" which will print a line with time, IP, name, type, and class for each query. Not sure if setting this to "no" will still log failed lookups or not.
On Tue, Aug 16, 2016 at 9:23 PM, teor teor2345@gmail.com wrote:
Has anyone checked if the logs on other resolvers (like unbound) have the same issue?
On Wed, 17 Aug 2016 12:23:15 +1000 teor teor2345-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
Has anyone checked if the logs on other resolvers (like unbound) have the same issue?
On my exit running unbound, I haven't seen any messages from unbound beyond the startup/shutdown messages for the past several weeks, but maybe I just haven't gotten the right errors. I didn't see anything in the code that looked like logging requested names, but I only took a quick glance. The default verbosity seems kinda low, but of course that's no guarantee.
What kind of resolution errors are you talking about? Plain NXDOMAIN failures, failing to reach nameservers, DNSSEC failed signatures, or anything else? Do you know of any domains handy that could be used to test the relevant failure cases? (e.g. a dns entry that points to an unreachable server, or results in an invalid DNSSEC response, etc.) That would make it easy for exit operators to test what happens and take out some guesswork.
On 18 Aug 2016, at 15:46, Andrew Deason adeason@dson.org wrote:
On Wed, 17 Aug 2016 12:23:15 +1000 teor teor2345-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
Has anyone checked if the logs on other resolvers (like unbound) have the same issue?
On my exit running unbound, I haven't seen any messages from unbound beyond the startup/shutdown messages for the past several weeks, but maybe I just haven't gotten the right errors. I didn't see anything in the code that looked like logging requested names, but I only took a quick glance. The default verbosity seems kinda low, but of course that's no guarantee.
What kind of resolution errors are you talking about? Plain NXDOMAIN failures, failing to reach nameservers, DNSSEC failed signatures, or anything else?
I'm not sure if NXDOMAIN was showing up in the BIND logs by default or not. But the rest were, as were reducing packet sizes to 512 bytes (BIND's edns-disabled).
Do you know of any domains handy that could be used to test the relevant failure cases? (e.g. a dns entry that points to an unreachable server, or results in an invalid DNSSEC response, etc.) That would make it easy for exit operators to test what happens and take out some guesswork.
I don't have a record of those domains any more, and I can't turn logging back on. However, any domain which doesn't have name servers, or has broken DNSSEC, was being logged by default by BIND.
I was seeing a few domains logged every few minutes with BIND's default logging, on an exit running at 5 - 10 MBytes per second. So if you're not seeing them in a day of log entries, you're probably safe.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org
tor-relays@lists.torproject.org
-
Andrew Deason -
grarpamp -
teor -
Tristan