[metrics-team] Exit relays' DNS resolvers over time

nusenu nusenu at openmailbox.org
Tue Feb 23 23:55:36 UTC 2016 


Philipp Winter:
> I've been using exitmap to enumerate what DNS resolvers are used by exit
> relays over time.  The idea is simple: I resolve an exit relay-specific
> domain under my control over all exit relays, and then look out for
> incoming DNS requests from my authoritative DNS server.  That allows me
> to map an exit relay to the IP address of a DNS resolver.  Here is a
> diagram that visualises preliminary results that cover several months:
> <https://nymity.ch/dns-traffic-correlation/img/top-exit-resolvers.png>
> 
> The diagram shows a time series, one data point a day, of the top four
> DNS resolvers of the Tor network.  The numbers are weighted by exit
> bandwidth.
> 
> Google is the most popular DNS resolver.  Today, Google gets to see
> around 25% of all DNS requests exiting the Tor network.  That is
> concerning; in particular because they also get to see ingress traffic
> of meek users that use App Engine.  After Google, local resolvers are
> the most popular.  I classify a resolver as "local" if the DNS
> resolver's IP address is identical to the exit relay's IP address.
> Finally, we have OVH and OpenDNS.  OVH isn't particularly surprising
> given that they are the most popular exit AS, currently controlling 11%
> of exit capacity.  Aside from these top four resolvers, the distribution
> has a long tail, presumably because many exit relays use their ISP's
> resolver.
> 
> Finally, beware of easy conclusions.  First, this analysis doesn't tell
> us anything about caching.  Exit relays cache DNS records, which limits
> exposure to the DNS resolver.  Also, some exit relays are multi-homed,
> which isn't reflected in these numbers.  Perhaps counterintuitively, it
> is not clear that local resolvers are *always* the best choice.
> Recursive resolvers traverse many autonomous systems when resolving a
> domain name, which exposes Tor users' DNS requests, and their
> corresponding responses, to network-level adversaries.  We talk a little
> bit about these issues here:
> <https://nymity.ch/dns-traffic-correlation/>

Interesting (as usual), thanks!

Can we also find a csv with the exit->dns server mapping somewhere?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/metrics-team/attachments/20160223/bdcc9390/attachment.sig>

More information about the metrics-team mailing list