[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #24010 [Core Tor/Torflow]: Make bandwidth authorities use DNS, not IP addresses
#24010: Make bandwidth authorities use DNS, not IP addresses
------------------------------+------------------------
Reporter: teor | Owner: aagbsn
Type: defect | Status: new
Priority: High | Milestone:
Component: Core Tor/Torflow | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: #21394 | Points: 1
Reviewer: | Sponsor:
------------------------------+------------------------
Comment (by micah):
This strikes me as adding a potentially fragile layer to an already
teetering edifice.
The domain name that I would have used for this was recently 'blocked' by
1/3rd of all of home cable users in Chile because they made a mistake in
attributing wannacry as coming from our exit node, or maybe even directory
authority. It took months to track this down, along with in-person
meetings with the ISP.
DNS is also frequently the easiest thing for overzealous countries to
block. If we depend on it for bandwidth scanning, I feel like we are
adding a layer to the system that enables the entire stack to easily fall
down when pushed at the top. Don't like tor running in your country? Just
block these domain names from resolving and it will cause all relays in
your country to get penalized by tor's bandwidth scanners so much that
they are useless. If we were to do this, then I would say that bandwidth
scanner web servers should be reached over different domain names, so that
if one is blocked, the other is not also impacted.
DNS can also be a bit funny, caching and inability to look up certain
information, but no problems with other information. Having a server
lookup one hostname every pass of the bandwidth scanner is likely just
going to result in testing that the DNS can resolve once properly, and
then cache that result for an unpredictable amount of time (depending on
the DNS SOA record for the domain in question, the local resolver settings
and the leaf resovlers up).
I get the point of doing this, but I am not convinced that this should be
the role of bandwidth scanners. Bandwidth scanners should be simply
testing the speed of the network, and nothing else. Its already overly
complicated, even for that one task. I think DNS reachability tests are
important, and the problem does need to be fixed, but I wonder if this
should be done some other way. Perhaps in the client itself? I am unsure.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24010#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs