[tor-relays] debugging unbound on 'torexit' failing DNS queries

Quintin tor-admin at portaltodark.world
Thu Jan 18 19:06:59 UTC 2018 

No outbound filters, this is my config:

**filter*
*:INPUT ACCEPT [0:0]*
*:FORWARD ACCEPT [0:0]*
*:OUTPUT ACCEPT [0:0]*
*-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT*
*-A INPUT -p icmp -j ACCEPT*
*-A INPUT -i lo -j ACCEPT*
*-A INPUT -p tcp -m comment --comment "SSH" -s x.x.x.x -m state --state NEW
-m tcp --dport 22 -j ACCEPT*
*-A INPUT -p tcp -m comment --comment "Tor" -m state --state NEW -m tcp
--dport 80 -j ACCEPT*
*-A INPUT -p tcp -m comment --comment "Tor" -m state --state NEW -m tcp
--dport 443 -j ACCEPT*
*-A INPUT -j REJECT --reject-with icmp-host-prohibited*
*-A FORWARD -j REJECT --reject-with icmp-host-prohibited*
*COMMIT*

If I stop tor then "dig @127.0.0.1 google.com" works 100%. It's seems like
the pattern is that when tor traffic builds up so do DNS failures. And then
my dig @127.0.0.1 only succeeds about 0.1% of the time. At this stage large
amounts these errors start appearing:



*> Jan 17 19:27:33 torexit unbound: [559:0] notice: remote address
is 192.42.93.30 port 53> Jan 17 19:27:33 torexit unbound: [559:0] notice:
sendto failed: Operation not permitted*

Quintin


On Thu, Jan 18, 2018 at 12:42 PM nusenu <nusenu-lists at riseup.net> wrote:

> <tor-admin at portaltodark.world> wrote:
> > Resent under the correct alias.
> >
> > I'm having high amounts of failures on this VPS (PulseServers). I run a
> > local unbound instance, and see an incredible amount of:
> > Jan 17 19:27:33 torexit unbound: [559:0] notice: sendto failed: Operation
> > not permitted
> > Jan 17 19:27:33 torexit unbound: [559:0] notice: remote address is
> > 198.97.190.53 port 53
> > Jan 17 19:27:33 torexit unbound: [559:0] notice: sendto failed: Operation
> > not permitted
> > Jan 17 19:27:33 torexit unbound: [559:0] notice: remote address is
> > 192.42.93.30 port 53
> > Jan 17 19:27:33 torexit unbound: [559:0] notice: sendto failed: Operation
> > not permitted
> > Jan 17 19:27:33 torexit unbound: [559:0] notice: remote address is
> > 192.35.51.30 port 53
> > Jan 17 19:27:33 torexit unbound: [559:0] notice: sendto failed: Operation
> > not permitted
> >
> > To give proportion to "incredible amount",
> > Jan 17 19:21:32 torexit rsyslogd: imjournal: 9897 messages lost due to
> > rate-limiting
> > Jan 17 19:22:02 torexit journal: Suppressed 1216 messages from
> > /system.slice/unbound.service
> > Jan 17 19:22:32 torexit journal: Suppressed 1209 messages from
> > /system.slice/unbound.service
> > Jan 17 19:23:02 torexit journal: Suppressed 1827 messages from
> > /system.slice/unbound.service
> > Jan 17 19:23:32 torexit journal: Suppressed 2333 messages from
> > /system.slice/unbound.service
> > Jan 17 19:24:02 torexit journal: Suppressed 3029 messages from
> > /system.slice/unbound.service
> > Jan 17 19:24:32 torexit journal: Suppressed 2822 messages from
> > /system.slice/unbound.service
> > Jan 17 19:25:02 torexit journal: Suppressed 2715 messages from
> > /system.slice/unbound.service
> > Jan 17 19:25:32 torexit journal: Suppressed 3166 messages from
> > /system.slice/unbound.service
> > Jan 17 19:26:02 torexit journal: Suppressed 4093 messages from
> > /system.slice/unbound.service
> > Jan 17 19:26:32 torexit journal: Suppressed 45878 messages from
> > /system.slice/unbound.service
> > Jan 17 19:27:02 torexit journal: Suppressed 30125 messages from
> > /system.slice/unbound.service
> > Jan 17 19:27:32 torexit journal: Suppressed 31764 messages from
> > /system.slice/unbound.service
> > Jan 17 19:28:02 torexit journal: Suppressed 31229 messages from
> > /system.slice/unbound.service
> >
> > Could it be limits from the VPS provider on the amount of outbound udp/53
> > connections?
>
> To me this looks more like a local problem?
> Are you doing any packet filtering on the host (outbound)?
>
> Does DNS work on that host if you try manual queries?
>
> From the IPs in your logs I assume your unbound is configured to query
> recursively itself (no upstream forwarding) that is good, can you confirm
> that
> and provide your unbound config + iptalbes -vnL?
>
>
> --
> https://mastodon.social/@nusenu
> twitter: @nusenu_
>
>

-- 
0101100101000001010010000101011101000101010010000010000001000010
0100110001000101010100110101001100100000010110010100111101010101
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180118/17c20f90/attachment.html>

More information about the tor-relays mailing list