[tor-relays] Reminder: exit nodes probably shouldn't be using Google's DNS servers

eric gisse jowr.pi at gmail.com
Fri Jan 9 00:20:42 UTC 2015

That was my bug report, thanks for the quick turnaround on that one :3

My problem was that my infrastructure, including that tor exit node,
is puppetized. But a problem with that resulted in dhcp  blitzing
/etc/resolv.conf and I kept putting in google dns out of sheer muscle
memory and I simply forgot to put it back.

It is pretty easy. This is the relevant configuration snippet from my
puppet manifest:

  # setup internal DNS cache / resolver

  include bind
  bind::server::conf { '/etc/bind/named.conf':
        directory               => '/etc/bind',
        listen_on_addr          => [ 'any' ],
        listen_on_v6_addr       => [ 'any' ],
        forwarders              => [ '2001:4860:4860::8844',
'2001:1608:10:25::1c04:b12f', '2600::1' ],
        allow_query             => [ 'any' ],
        statistics_file         => '/etc/bind/named.stats',
        recursion               => 'yes',
        extra_options           => {
                'forward'               => 'only',
                'auth-nxdomain'         => 'no',

+ some other symlinks to account for the fact this isn't a RHEL box
like the module implicitly assumes.

I even have DNSSEC query validation setup, as the forwarders seem to support it.

Now I have named caching again. For those who are unclear, it helps a
LOT. From rndc stats:

++ Cache Statistics ++
[View: default]
            53446329 cache hits
             5246190 cache misses
            15049168 cache hits (from query)
             3044495 cache misses (from query)

The exit node in question sits between 10 and 20mb/s continuously, and
goes through a crazy amount of traffic. Something like 50T last month.

I even threw on a squid proxy on regular http and that's caching
something like 5-10% of all requests and overall http bandwidth.

Where it gets interesting is now that I've moved all of my DNS traffic
into a native ipv6 stack (outside of v4 local queries), I can say that
all the udp traffic I get is not legitimate/requested.

Which is looking to be a lot of traffic.

I got dinged with a nice udp DDoS the other day, and now its' even
more clear about what traffic is bad on tcpdump.

On Thu, Jan 8, 2015 at 9:04 AM, Nick Mathewson <nickm at freehaven.net> wrote:
> Hi, all!
> While looking into a bug report, I noticed that an exit node was using
> one of Google's well-known public DNS servers for its own DNS server.
> No disrespect to the operators of Google's fine public DNS service,
> but my sense is that using it for a Tor exit node might not be the
> greatest idea for users' privacy, having one DNS provider that gets to
> see so many requests.  It's probably a better idea to have your own
> local cacheing DNS server.
> Would anybody like to share a guide about how to set one of those up
> safely and migrate correctly?
> best wishes,
> --
> Nick
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

More information about the tor-relays mailing list