[tor-bugs] #8608 [Ooni]: discuss deployment of oonib's dns_helper service

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Mar 29 21:02:01 UTC 2013


#8608: discuss deployment of oonib's dns_helper service
------------------------------------+---------------------------------------
 Reporter:  aagbsn                  |          Owner:  hellais
     Type:  task                    |         Status:  new    
 Priority:  normal                  |      Milestone:         
Component:  Ooni                    |        Version:         
 Keywords:  oonib, dns_helper, dns  |         Parent:         
   Points:                          |   Actualpoints:         
------------------------------------+---------------------------------------
 OONI Backend (oonib) provides a dns_helper service that responds to
 queries on port 53 udp/tcp.

 Unfortunately, the service is abused; whenever the helper is running it is
 being bombarded with queries from (presumably spoofed) addresses. This is
 a known problem with running an open recursive resolver. How can we
 mitigate the abuse of this service?

 One possibility is to launch the dns_helper service on demand for specific
 OONI tests. A problem with this approach is that a client cannot use the
 test helper unless it also creates a report with the associated collector
 (which currently also requires a working Tor).

 Another possibility is to implement rate-limiting, which would reduce the
 amount of abuse. A problem with this approach is that ooni-probe clients
 may see an increase in resolution failures. We don't currently dynamically
 adjust ooni-probe's request rate, though this is a desired feature.

 And another item to consider is how DNS resolution is performed on oonib.
 Presently, it forwards requests to an upstream resolver (by default,
 google public DNS), which might cause problems given the volume of DNS
 requests seen. We should consider deploying our own DNS resolver locally
 or near each collector.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8608>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list