[tor-bugs] #18580 [Tor]: exit relay fails with 'unbound' DNS resolver when lots of requests time-out

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Mar 19 21:52:52 UTC 2016 

#18580: exit relay fails with 'unbound' DNS resolver when lots of requests time-out
----------------------+------------------------------
 Reporter:  Dhalgren  |          Owner:
     Type:  defect    |         Status:  new
 Priority:  Medium    |      Milestone:
Component:  Tor       |        Version:  Tor: 0.2.7.6
 Severity:  Major     |     Resolution:
 Keywords:            |  Actual Points:
Parent ID:            |         Points:
 Reviewer:            |        Sponsor:  None
----------------------+------------------------------

Comment (by Dhalgren):

 Replying to [comment:5 arma]:
 > So to summarize, it sounds like unbound's behavior when doing a dns
 resolve is more aggressive than named's behavior?

 It appears that Unbound is more persistent than named, but employes a
 sophisticated exponential back-off scheme so I'm not sure it would be
 considered more aggressive.  The above documentation link goes into the
 unbound time-out scheme at great length.  Named appears to have a much
 simpler and shorter retry/timeout approach.

 >And Godaddy has some sort of abuse detection mechanism that makes it
 refuse to answer dns questions from loud IP addresses?

 In 2011 GoDaddy implemented a policy of blocking high-volume DNS
 requesters in order to avoid adding resources to their DNS server pool.
 At one point this apparently included blocking GoogleBot.  Appears to be a
 manually maintained list with an arbitrary selection policy.  See

 http://rscott.org/dns/GoDaddy_Selective_DNS_Blackouts.htm

 It appears that my Dhalgren relay was added to their block list three days
 ago and the 'ashtrayhat3' relay was added back in January.  My relay
 continues to have DNS blocked by GoDaddy.  Probably several other fast
 relays are blocked, but never ran with unbound and so it was not noticed.

 >And whatever unbound is doing is more often triggering godaddy's
 mechanism?

 I doubt it's unbound (vs named) that caused GoDaddy to block DNS from my
 exit.  They block high-volume DNS requesters in general.  I also noticed
 the ed.gov is blocking my relay.

 > And while some people on tor-relays thought that this was maybe a Tor
 bug, it *can't* be a Tor bug if the issue is "the dns server you're asking
 questions to won't answer"? Or is there still a Tor bug here too, where
 Tor should handle it better when it doesn't get any dns answer?

 I'm 80-90% sure it's a bug in the way the Tor daemon interacts with
 unbound's behavior w/r/t large numbers of timing-out DNS queries.  Unbound
 appears to be perfectly fine with the situation when it occurs.  Tor
 daemon DNS queries lock-up wholesale, thus preventing normal exit browsing
 behaivor.  Tor daemon is fine with the GoDaddy DNS block when named is the
 intermediary--large numbers of request time-outs of GoDaddy domains
 continue unabated.

 Data-transfer via circuits appears unaffected as the relay earned a 100%
 rating increase from the BWauths while it was in the broken state (running
 20% of normal traffic load) for 37 hours.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18580#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list