[tor-relays] HOW-TO: Simple DNS resolver for tor exit operators

Igor Mitrofanov igor.n.mitrofanov at gmail.com
Mon Aug 7 20:07:05 UTC 2017 

The DNS issue is in the "long tail" - rare/unique websites are unlikely to be cached, yet they likely represent the most interesting targets.
I do agree that running dnsmasq (or a similar caching resolver) is probably sufficient to make DNS attacks too unreliable to invest in. I am not sure why this is not an officially-recommended privacy-enhancing practice.

-----Original Message-----
From: tor-relays [mailto:tor-relays-bounces at lists.torproject.org] On Behalf Of eric gisse
Sent: Monday, August 7, 2017 12:56 PM
To: tor-relays at lists.torproject.org
Subject: Re: [tor-relays] HOW-TO: Simple DNS resolver for tor exit operators

...and what is dnscrypt supposed to do for a relay? where are the DNS queries themselves supposed to come out?

i'm yet to hear why a big caching nameserver is insufficient. i'm doing 30mb/s on an exit node. here's my rndc stats:

[View: internal]
            86635983 IPv6 queries sent
            76987085 IPv6 responses received
             4075735 NXDOMAIN received
             1085798 SERVFAIL received
               17517 EDNS(0) query failures
             5684046 truncated responses received
            16097299 query retries
             9670300 query timeouts
            69955769 DNSSEC validation attempted
            33207889 DNSSEC validation succeeded
            36673375 DNSSEC NX validation succeeded
               52281 DNSSEC validation failed
             6114026 queries with RTT < 10ms
            37261728 queries with RTT 10-100ms
            31296765 queries with RTT 100-500ms
             1128740 queries with RTT 500-800ms
             1159610 queries with RTT 800-1600ms
               26152 queries with RTT > 1600ms
                  86 active fetches
                  31 bucket size
                 279 REFUSED received
            53264941 COOKIE send with client cookie only
              340790 spilled due to server quota

first off, look at the RAW AMOUNT OF QUERIES. i last restarted the nameserver on July 28th for a maintenance reason. do you see the scale of busy i am talking about now?

[View: internal (Cache: internal)]
           820788430 cache hits
           102325730 cache misses
           151111224 cache hits (from query)
           232971711 cache misses (from query)
                   0 cache records deleted due to memory exhaustion
            57238152 cache records deleted due to TTL expiration

now, look at the cache rate. the hit rate is currently about 87%. i don't think my internal projects are even a rounding error on nearly a billion DNS queries in not even two weeks.

nearly 90% of a tor user's dns queries will never leave the exit node.

i strongly feel you guys are overcomplicating this. worrying about too many queries going to the same AS, dnscrypt, christ on a crutch.

if you are going to advocate for a more complex, failure prone, difficult to maintain solution then you need to articulate the benefits of it. the solutions i am seeing are.....silly, to put it mildly. there's standardized and robust tools people can use. use them.






On Mon, Aug 7, 2017 at 12:04 PM, Chuck McAndrew <chuck.mcandrew at leblibrary.com> wrote:
> I was wondering about how beneficial DNS Crypt or DNS Privacy would be 
> for relays. Is anyone using any kind of encryption for their DNS 
> queries on their relay?
>
> https://networkfilter.blogspot.com/2017/04/be-your-own-vpn-provider-wi
> th-openbsd-v2.html#dns shows how to set up multiple dnscrypt proxies 
> on openbsd for redundancy (with a local instance of unbound as well). 
> Any benefit to doing something like this?
>
> Regards
> Chuck
>
> On 08/06/2017 10:47 PM, Philipp Winter wrote:
>> On Sun, Aug 06, 2017 at 04:03:53PM -0400, Dennis Emory Hannon wrote:
>>> Guide is meant for debian/linux users 
>>> http://backplanedns.org/TOR_exit_dns_resolver_howto.htm
>>
>> I think the solution to Google seeing so many DNS requests is more 
>> nuanced.  A single organisation seeing that many request is certainly 
>> problematic but so is random ASs on the Internet seeing the same 
>> requests -- which is what happens when you resolve a domain name on 
>> the exit relay.  We also want low query latency and integrity, which 
>> Google's resolver happens to be good at.
>>
>> While we can quantify all these properties, there is no easy way to 
>> compare them against each other.  Do you prefer an exit relay that 
>> uses Google or one that exposes your queries to numerous ASs, and is 
>> also more likely to be poisoned?
>>
>> On a more optimistic note, the DNS privacy project is doing some 
>> promising work that exit relays may benefit from:
>> <https://dnsprivacy.org>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays at lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

More information about the tor-relays mailing list