[tor-relays] General overload -> DNS timeouts
Anders Trier Olesen
anders.trier.olesen at gmail.com
Mon Nov 8 23:25:50 UTC 2021
Hi Ibex
There's some discussion about this issue on #tor-relays. First of all, I
actually don't think there's any problem with your Exit node. IMO 1.5% is
expected and the current threshold is just too low (or the timeout too low).
We're hosting some fairly high capacity exit nodes (around 100mbit/s each),
generating about 100 DNS queries/sec in total. We're also seeing around
1.5% failed DNS queries.
Here's what I think is going on:
For some queries (1.5%?), the authoritative DNS servers for the requested
domain are not responding. Recursive DNS resolvers are by default more
patient than the Tor software. Eventually the recursive resolver will
return a 'SERVFAIL' to Tor, but by then, Tor has already given up, and
counts it as a timeout.
One example of a domain that is currently (2021-11-08T23:40+01:00) failing
to resolve because of its authoritative DNS servers being down is mzfgbh.com.
Try running `dig +trace +additional mzfgbh.com` (for some reason, dig
ignores the 'additional' section of one of the answers. Essentially the
problem is that this query (and a few others) times out: `dig mzfgbh.com @
1.1.1.20`).
On a related note, when this metric was introduced, we were seeing around
5-6% failed queries. The recursive DNS resolver we were using was hosted on
the same IP as a guard node. Apparently many authoritative DNS servers
block traffic from all Tor relays!
The most extreme example of this I found, is that the authoritative DNS
servers for the entire .by ccTLD (Belarus) are blocking DNS requests from
guard and exit nodes. This resulted in all <domain>.by queries timing out!
By moving our recursive DNS resolver to an IP not used by any Tor relays,
the DNS timeouts fraction reported by Tor dropped from 5-6% to 1.5%.
The Tor relay guide should recommend running your recursive resolver
(unbound) on a different IP than your exit:
https://community.torproject.org/relay/setup/exit/
- Anders Trier Olesen
On Sat, Nov 6, 2021 at 5:53 PM Intrepid Ibex via tor-relays <
tor-relays at lists.torproject.org> wrote:
> Hi everybody,
>
> I am new to tor (as server operator) and try to support the network by
> operating an exit node.
>
> Machine is running Ubuntu 20.04 - Tor 0.4.6.8.
>
> nyx is giving me a notive every 10 minutes or so: [NOTICE] General
> overload -> DNS timeouts (6) fraction 1.4742% is above threshold of 1.0000%
>
> DNS on this machine however works perfectly. I told my tor browser to use
> my specific exit node, everything works fine.
>
> Node is running since 4 days now. Load is as expected.
>
> Thanks in advance for any help!
>
> Ibex
>
>
> --
> Sent using MsgSafe.io
> <https:/www.msgsafe.io/?utm_source=msgsafe&utm_medium=email&utm_campaign=freemailsignature>'s
> Free Plan
> Private, encrypted, online communication
> For everyone. www.msgsafe.io
> <https:/www.msgsafe.io/?utm_source=msgsafe&utm_medium=email&utm_campaign=freemailsignature>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20211109/7d80d185/attachment.htm>
More information about the tor-relays
mailing list