[tor-relays] Tor non-exit list

tor at nullvoid.me tor at nullvoid.me
Thu Jun 20 00:00:18 UTC 2024 

Hi Carsten,

While I appreciate your effort to make running (non-exit) relays more 
usable for regular internet usage, and I myself face similar issue. My 
relay is also my mail host. I sometimes cannot send or receive to 
certain organizations due to their firewall policies.

I do not think that asking to remove the complete non-exit list to be 
valuable to the security of the global internet.

While it is correct that sysadmins should maybe not block traffic just 
because it's a relay. There is many use cases where they should, most 
corporation end users do not need access to the Tor network daily, and 
many ransomware or other malware c2 servers leverage .onion services. By 
blocking Tor across the network it's a simple way to disarm the malware 
or prevent data loss to nefarious actors.

Secondly, running multiple services from your Tor relay is generally 
considered bad advice if I understand correctly. Especially critical 
infrastructure such as mirrors of popular packages. Tor relays should be 
dedicated hosts with minimal attack surface, we know they are attacked, 
monitored, and generally attract extra attention. Due to this other 
services you host on the same server are now at risk of extra 
surveillance or malicious attacks.

Just my two cents, I with DAN list non-exit did not exist either, but it 
has it's purposes.

Regards, tor

Carsten Otto:
> Hi Dan,
> 
> For reference:
> https://www.dan.me.uk/dnsbl
> https://www.dan.me.uk/tornodes
> https://www.dan.me.uk/torlist/?full
> 
> First of all, thank you for your tools and other contributions. The mere
> fact that your DNS blocklists are used by countless vendors should be a
> compliment in itself, and I'd be happy to have that much impact with my
> own projects.
> 
> As you already state on your own site ("Please think carefully
> before choosing to use this list for blocking purposes"), your non-exit
> Tor relay list is a bit unusual. I'm running ftp.halifax.rwth-aachen.de,
> a major file mirror serving around 30 TByte of data at around 4 GBit/sec
> (on average). Recently, we added Tor relays on the same IP address, and
> your list correctly picked this up (137.226.34.46).
> 
> Now, I'm writing as this caused quite a lot of mayhem. Several
> "security" appliance vendors didn't "think carefully" before adding your
> non-exit list to their devices. Among those are Arbor Prevail, Check
> Point, Ubiquiti (UniFi) - feel free to search for
> 
>    "ET TOR Known Tor Relay/Router (Not Exit) Node"
> 
> to see the effect of this. In addition to private users making use of
> such devices, several banks/corporations/institutions started blocking
> our IP address, causing some frustration with us and their admins, as
> their Linux/Jenkins/... updates suddenly stopped working. As you might
> have guessed, changing "security" configurations (even if they may be
> wrong or questionable) is quite a challenge, and in some cases the
> (motivated) admins weren't unable to fix this issue on their end.
> 
> As you seem to be well aware of what Tor is, what an exit relay does and
> what a non-exit relay does, would you be willing to retire the non-exit
> blocklist (at least the part that can be used for automated blocks)? I'd
> argue that the current setup does more harm than good (assuming you
> agree that Tor is a good thing in general). I'd be happy to discuss pros
> and cons, but ultimately that's your decision to make.
> 
> Thanks
> Carsten
> 
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x45E5F8C1504CDA42.asc
Type: application/pgp-keys
Size: 1205 bytes
Desc: OpenPGP public key
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20240619/7310915e/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20240619/7310915e/attachment.sig>

More information about the tor-relays mailing list