[tor-relays] tor-relays Digest, Vol 88, Issue 13

flipchan flipchan at riseup.net
Fri May 11 14:06:58 UTC 2018 

Great thread! I just use the recommended onces that support dnssec

On May 11, 2018 11:55:39 AM UTC, tor-relays-request at lists.torproject.org wrote:
>Send tor-relays mailing list submissions to
>	tor-relays at lists.torproject.org
>
>To subscribe or unsubscribe via the World Wide Web, visit
>	https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>or, via email, send a message with subject or body 'help' to
>	tor-relays-request at lists.torproject.org
>
>You can reach the person managing the list at
>	tor-relays-owner at lists.torproject.org
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of tor-relays digest..."
>
>
>Today's Topics:
>
>   1. lets stop using central big DNS resolvers (Google, Level3,
>      OpenDNS, Quad9, Cloudflare) (nusenu)
>   2. Re: lets stop using central big DNS resolvers (Google,
>      Level3, OpenDNS, Quad9, Cloudflare) (Tyler Durden)
>   3. Re: lets stop using central big DNS resolvers (Google,
>      Level3, OpenDNS, Quad9, Cloudflare) (nusenu)
>   4. PSA regarding Quad9 DNS Resolver (Nathaniel Suchy (Lunorian))
>   5. Re: Strange BGP activity with my node (Johan Nilsson)
>   6. Re: lets stop using central big DNS resolvers (Google,
>      Level3, OpenDNS, Quad9, Cloudflare) (Nathaniel Suchy (Lunorian))
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Thu, 10 May 2018 22:16:00 +0000
>From: nusenu <nusenu-lists at riseup.net>
>To: tor-relays at lists.torproject.org
>Subject: [tor-relays] lets stop using central big DNS resolvers
>	(Google, Level3, OpenDNS, Quad9, Cloudflare)
>Message-ID: <5e7d99ef-9514-cee4-985f-7f1d4a21dfec at riseup.net>
>Content-Type: text/plain; charset="utf-8"
>
>Dear Exit Relay Operators,
>
>I'd like to invite you to check your exit's DNS resolver by 
>having a look at the following list of exits using resolvers
>outside their AS (especially if it is Google, OpenDNS, Quad9 or
>Cloudflare).
>
>You can search the list for you contactinfo, relay nickname or relay
>fingerprint (first 8 characters):
>
>https://gist.github.com/nusenu/cb766ff7945fafd9f90ee7f211a2508f#file-tor-dns-april-2018-txt
>
>
>I extended the "DNS on Exit Relays" section in the Tor Relay Guide
>to include specific instructions what is recommended for Tor exit
>operators with 
>regards to DNS on exit relays.
>
>https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#DNSonExitRelays
>
>If you found yourself on the list above and changed your DNS to a local
>(same host or same AS)
>resolver or found a false-positive, please drop me an email (off-list
>is also ok).
>
>
>The goal is to be bellow the following thresholds within one year:
>- not have any single remoteAS entity control more than 10% exit
>capacity
>- reduce the overall remoteAS share to bellow 20% exit capacity
>
>the longer version of this can be found at:
>https://medium.com/@nusenu/who-controls-tors-dns-traffic-a74a7632e8ca
>
>thanks for helping with DNS decentralization on the tor network,
>nusenu
>
>-- 
>https://mastodon.social/@nusenu
>twitter: @nusenu_
>
>-------------- next part --------------
>A non-text attachment was scrubbed...
>Name: signature.asc
>Type: application/pgp-signature
>Size: 833 bytes
>Desc: OpenPGP digital signature
>URL:
><http://lists.torproject.org/pipermail/tor-relays/attachments/20180510/22a4afc3/attachment-0001.sig>
>
>------------------------------
>
>Message: 2
>Date: Thu, 10 May 2018 22:37:00 +0000
>From: Tyler Durden <virii at enn.lu>
>To: tor-relays at lists.torproject.org
>Subject: Re: [tor-relays] lets stop using central big DNS resolvers
>	(Google, Level3, OpenDNS, Quad9, Cloudflare)
>Message-ID: <a518aa08-871d-afaf-819f-6e4bee01fb20 at enn.lu>
>Content-Type: text/plain; charset=utf-8
>
>All our nodes are using a local DNS caching server and only use google
>as a fallback.
>The situation is very unlikely to change unless there is a major player
>on "our side" which offers a free, censorship-free, resilient and
>stable
>DNS Service.
>
>
>Greetings
>nusenu:
>> Dear Exit Relay Operators,
>> 
>> I'd like to invite you to check your exit's DNS resolver by 
>> having a look at the following list of exits using resolvers
>> outside their AS (especially if it is Google, OpenDNS, Quad9 or
>Cloudflare).
>> 
>> You can search the list for you contactinfo, relay nickname or relay
>fingerprint (first 8 characters):
>> 
>>
>https://gist.github.com/nusenu/cb766ff7945fafd9f90ee7f211a2508f#file-tor-dns-april-2018-txt
>> 
>> 
>> I extended the "DNS on Exit Relays" section in the Tor Relay Guide
>> to include specific instructions what is recommended for Tor exit
>operators with 
>> regards to DNS on exit relays.
>> 
>>
>https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#DNSonExitRelays
>> 
>> If you found yourself on the list above and changed your DNS to a
>local (same host or same AS)
>> resolver or found a false-positive, please drop me an email (off-list
>is also ok).
>> 
>> 
>> The goal is to be bellow the following thresholds within one year:
>> - not have any single remoteAS entity control more than 10% exit
>capacity
>> - reduce the overall remoteAS share to bellow 20% exit capacity
>> 
>> the longer version of this can be found at:
>> https://medium.com/@nusenu/who-controls-tors-dns-traffic-a74a7632e8ca
>> 
>> thanks for helping with DNS decentralization on the tor network,
>> nusenu
>> 
>> 
>> 
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> 
>
>-- 
>Frënn vun der Ënn A.S.B.L. (NGO)
>e. virii at enn.lu (GPG: 0xce8c12f32a2cf11b)
>t. +352-27-40-20-30-4
>w. https://enn.lu/
>
>
>------------------------------
>
>Message: 3
>Date: Fri, 11 May 2018 08:15:00 +0000
>From: nusenu <nusenu-lists at riseup.net>
>To: tor-relays at lists.torproject.org
>Subject: Re: [tor-relays] lets stop using central big DNS resolvers
>	(Google, Level3, OpenDNS, Quad9, Cloudflare)
>Message-ID: <57c450a9-90f4-ac97-4eca-f414df642c0d at riseup.net>
>Content-Type: text/plain; charset="utf-8"
>
>
>
>Tyler Durden:
>> All our nodes are using a local DNS caching server and only use
>google
>> as a fallback.
>> The situation is very unlikely to change unless there is a major
>player
>> on "our side" which offers a free, censorship-free, resilient and
>stable
>> DNS Service.
>
>can you describe your (hard) resolver requirements so we can try 
>to find Google alternatives for you?
>
>thank you for running exits!
>nusenu
>
>-- 
>https://mastodon.social/@nusenu
>twitter: @nusenu_
>
>
>-------------- next part --------------
>A non-text attachment was scrubbed...
>Name: signature.asc
>Type: application/pgp-signature
>Size: 833 bytes
>Desc: OpenPGP digital signature
>URL:
><http://lists.torproject.org/pipermail/tor-relays/attachments/20180511/27df30d0/attachment-0001.sig>
>
>------------------------------
>
>Message: 4
>Date: Fri, 11 May 2018 07:41:45 -0400
>From: "Nathaniel Suchy (Lunorian)" <me at lunorian.is>
>To: tor-relays at lists.torproject.org
>Subject: [tor-relays] PSA regarding Quad9 DNS Resolver
>Message-ID: <762D1A57-26BE-4770-B7E4-F1646B91201B at lunorian.is>
>Content-Type: text/plain;	charset=utf-8
>
>Like OpenDNS, Quad9 is a censoring DNS resolver and exits using it are
>/ should be considered bad exits. I haven’t seen any exits using it yet
>however I thought I’d bring it up. Thoughts?
>
>Cheers,
>Nathaniel
>
>Sent from my iPhone
>
>
>------------------------------
>
>Message: 5
>Date: Fri, 11 May 2018 13:53:30 +0200
>From: Johan Nilsson <jn at 9999.se>
>To: tor-relays at lists.torproject.org
>Subject: Re: [tor-relays] Strange BGP activity with my node
>Message-ID: <20180511115330.s5h5quujvwlni64n at debian.local>
>Content-Type: text/plain; charset=us-ascii
>
>> Your prefix:          204.17.32.0/19 <http://204.17.32.0/19>:
>> > Prefix Description:   GBLX-US-BGP Update time:          2018-05-09
>> > 12:11 (UTC) Detected by #peers:   1 Detected prefix:
>> > 204.17.56.42/32 <http://204.17.56.42/32> Announced by:
>> > AS200005 (Asavie Technologies Limited) Upstream AS:
>> > AS200005 (Asavie Technologies Limited) ASpath:               200005
>> > 
>> I took a look through our BGP data and peering routers, and I didn't
>> see the /32 being announced.  I'm not saying it didn't happen, but
>> rather it may not have carried very far.  /32 prefix announcements
>> rarely propagate very far.  There are still a great many filters in
>> place that restrict announcements more specific than /24 (or /21, or
>> /19, or ...).
>>
>"#peers:   1" indicates only one of the peers with bgpmon.net saw it.
>
>> It may be the case that this /32 prefix is a null route that leaked
>> out, which we've seen happen somewhat frequently.  The most notorious
>> example was an attempted, and unwittingly leaked, null route in
>> Pakistan (/24s, IIRC) that impacted YouTube.
>> 
>> It appears Asavie does a bit of security and networking work, so
>> possibly this is attributable to that?
>> 
>DFRI saw the same notification for one exit address at the exact
>same time. We also got a second identical notfication at 2018-05-09
>12:17
>(UTC).
>
>Regards,
>Johan
>
>
>------------------------------
>
>Message: 6
>Date: Fri, 11 May 2018 07:55:31 -0400
>From: "Nathaniel Suchy (Lunorian)" <me at lunorian.is>
>To: tor-relays at lists.torproject.org
>Subject: Re: [tor-relays] lets stop using central big DNS resolvers
>	(Google, Level3, OpenDNS, Quad9, Cloudflare)
>Message-ID: <A79DAC1C-64AD-444C-851D-805350A5199B at lunorian.is>
>Content-Type: text/plain;	charset=utf-8
>
>I’m quite worried about the number of relays using Google DNS. With
>Google DNS, Google gets to know a Tor exit proxied X website at X time.
>I don’t think they can be trusted with this information. 
>
>As for privacy concerns: Google claims these logs are only stored for
>up to 48 hours. It worries me that the information could be demanded by
>the FISA Courts (Google would have to comply by law) and three letter
>agencies would get access to Tor user’s browsing habits. I know the
>same could happen with any DNS resolver although due to the size of
>Google Public DNS the logs are a goldmine.
>
>I have the same, if not worse concerns with Cloudflare’s Public DNS
>(1.1.1.1).
>
>Now I have the burden of providing an alternative, it’s only fair I do
>so after criticism of the use of Google DNS. My first thought is to use
>ISP DNS if it’s available - one of the best things about Tor is the
>split of trust so why aren’t we doing that with DNS? Another
>alternative is to use trusted recursive DNSCrypt Resolvers (for example
>dnscrypt.ca - there are plenty of resolvers like this so use a search
>engine of your choice to find them). I actually really like the idea of
>using DNSCrypt resolvers opposed to commercial DNS provided by ISPs.
>Thoughts?
>
>As always,
>Thanks for running Tor Exits
>
>Sent from my iPhone
>
>> On May 11, 2018, at 4:15 AM, nusenu <nusenu-lists at riseup.net> wrote:
>> 
>> 
>> 
>> Tyler Durden:
>>> All our nodes are using a local DNS caching server and only use
>google
>>> as a fallback.
>>> The situation is very unlikely to change unless there is a major
>player
>>> on "our side" which offers a free, censorship-free, resilient and
>stable
>>> DNS Service.
>> 
>> can you describe your (hard) resolver requirements so we can try 
>> to find Google alternatives for you?
>> 
>> thank you for running exits!
>> nusenu
>> 
>> -- 
>> https://mastodon.social/@nusenu
>> twitter: @nusenu_
>> 
>> 
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
>
>------------------------------
>
>Subject: Digest Footer
>
>_______________________________________________
>tor-relays mailing list
>tor-relays at lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
>------------------------------
>
>End of tor-relays Digest, Vol 88, Issue 13
>******************************************

-- 
Take Care Sincerely flipchan layerprox dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180511/61fca768/attachment-0001.html>

More information about the tor-relays mailing list