[tor-relays] Flooding of unbound via resolve attempts
Georg Koppen
gk at torproject.org
Thu Mar 10 08:33:07 UTC 2022
Hello!
As you might know we are doing regular (at the moment weekly) scans of
exit nodes to find and help with misconfigurations or errors that have
potentially serious effects for Tor network usability and performance.
The results we got so far after over a year of scanning are roughly
single digit numbers of exit relays per week having mostly DNS
configuration issues (unbound crashed etc.)
However, this week we suddenly found almost 80 exit relays with
malfunctioning DNS resolution[1] which was surprising. Additionally,
after some of the servers got fixed the issue returned. DrWhax (thanks!)
pointed us to a possible explanation twittered by the unredacted folks:
https://twitter.com/unredacted_org/status/1501458345219215363
It seems that someone (intentionally or not) is overwhelming unbound
leading to DNS resolution issues for those exit operators that do run
this local resolver, which we currently recommend.
We've opened a ticket[2] for further investigation, but I hope this
email raises some awareness so that exit operators can keep and eye on
the situation.
Feel free to add insights you have to the ticket. Additionally, I bet if
someone would share how they do monitoring for such a problem on their
exits then a lot of exit operators would be happily picking up that
setup and the Tor network would win. :)
Thanks,
Georg
[1] https://gitlab.torproject.org/tpo/network-health/team/-/issues/197
[2] https://gitlab.torproject.org/tpo/network-health/analysis/-/issues/30
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20220310/d37302af/attachment.sig>
More information about the tor-relays
mailing list