[tor-relays] lets stop using central big DNS resolvers (Google, Level3, OpenDNS, Quad9, Cloudflare)

Andrew Deason adeason at dson.org
Sat May 12 06:18:22 UTC 2018 

On Sat, 12 May 2018 04:50:29 +0000
Matthew Finkel <matthew.finkel at gmail.com> wrote:

> But isn't that what the subject line says? And the original email
> contains:
> 
> > The goal is to be bellow the following thresholds within one year:
> >   not have any single remoteAS entity control more than 10% exit capacity
> >   reduce the overall remoteAS share to bellow 20% exit capacity

The subject line I think does effectively say to not use them as
fallbacks, but indirectly. It requires some inferring by the relay
operator and so it's easy for an operator to arrive at a different
conclusion. The text you quoted immediately above (and the medium.com
post) I think is not clear about this at all; it talks about an entity
"controlling" dns traffic. If google's dns is set as a fallback, does
google "control" my exit's dns traffic? The answer to that seems
subjective to me; or if objective, then at least not obvious for the
casual operator.

The email and the guide page says to "not use" those dns services, but
it tends to frame the issue as an either-or decision. That is, you guys
are telling relay operators e.g. "if you have your resolv.conf set to
google's dns, you should instead point to localhost and set up unbound".
What if I just have google's dns as a fallback; does that count as
"using" it? IMO, the text doesn't (explicitly) say. You can argue that
the relay operator should infer that this does count, but if it was
explicitly spelled out, there is less room for error. (The list of
relays of course is one way of very explicitly spelling this out, by
identifying problematic relays. That's the only way I found out that I
was considered using google's dns.) It also would make it clear that
trying to make dns resolution more "robust" (by providing fallbacks) is
not considered by you to be worth the privacy implications of using
those resolvers.

An operator may think they're not "using" google's dns because they're
pointed at localhost first, and their local resolver is working, so they
shouldn't normally be using the fallback so it doesn't matter. Obviously
that's not true, otherwise such relays wouldn't be identified in that
list :) I imagine it's not _as_ bad as depending on google's dns first,
but maybe that is an insignificant difference.

I don't mean to make a big deal about this; I'm just trying to explain
some of what was going through my head when reading this stuff. "Fixing"
it can be very simple, like just adding a small phrase like "don't use
these, even as a fallback" or "don't mention anywhere in resolv.conf",
like you said.

-- 
Andrew Deason
adeason at dson.org

More information about the tor-relays mailing list