[tor-relays] Local DNS on Exit logs failed user queries
teor
teor2345 at gmail.com
Thu Aug 18 06:00:20 UTC 2016
> On 18 Aug 2016, at 15:46, Andrew Deason <adeason at dson.org> wrote:
>
> On Wed, 17 Aug 2016 12:23:15 +1000
> teor <teor2345-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
>
>> Has anyone checked if the logs on other resolvers (like unbound) have
>> the same issue?
>
> On my exit running unbound, I haven't seen any messages from unbound
> beyond the startup/shutdown messages for the past several weeks, but
> maybe I just haven't gotten the right errors. I didn't see anything in
> the code that looked like logging requested names, but I only took a
> quick glance. The default verbosity seems kinda low, but of course
> that's no guarantee.
>
> What kind of resolution errors are you talking about? Plain NXDOMAIN
> failures, failing to reach nameservers, DNSSEC failed signatures, or
> anything else?
I'm not sure if NXDOMAIN was showing up in the BIND logs by default or not.
But the rest were, as were reducing packet sizes to 512 bytes (BIND's edns-disabled).
> Do you know of any domains handy that could be used to
> test the relevant failure cases? (e.g. a dns entry that points to an
> unreachable server, or results in an invalid DNSSEC response, etc.) That
> would make it easy for exit operators to test what happens and take out
> some guesswork.
I don't have a record of those domains any more, and I can't turn logging back on.
However, any domain which doesn't have name servers, or has broken DNSSEC, was being logged by default by BIND.
I was seeing a few domains logged every few minutes with BIND's default logging, on an exit running at 5 - 10 MBytes per second.
So if you're not seeing them in a day of log entries, you're probably safe.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160818/04cbb9ac/attachment.sig>
More information about the tor-relays
mailing list