[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Reminder: exit nodes probably shouldn't be using Google's DNS servers

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Reminder: exit nodes probably shouldn't be using Google's DNS servers
From: eric gisse <jowr.pi@xxxxxxxxx>
Date: Thu, 8 Jan 2015 18:20:42 -0600
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 08 Jan 2015 19:20:57 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=V2sVmMCAUuG8/Mo0X4NXmozts7QiIqRWPmyscuOnmtI=; b=M9vTpxOpM81joavTeNpdjw1n3rcAOzGKhMpO5jZQyMNOFPKNEdUgMM0rRcS4BflTWM Rrn8xaISIEQ89NJYWwgbO6SHosomq5lKC9zW/G5s+N1h1QPWrFvRBdETvW30wdVXTNMD TD7Ms7Q2iFMeWHTWRv0C4BU0S0DTnnkfbsyvMsXxk+fOB3wsJt35H9sRFrKd7pIX4Xu1 0mcAi892O6uhR0QSnempdKzvMFzXCIH0XgF9x/arlyGW24WT7kT59I9LLYCp4p3MdKo+ YGgb5Y4l21VyLH3qiVyX8i06+x72b0kqHWNTIF1GB8M1YiQUvoB6dc0rLxpxOVHK8mad 6Ljg==
In-reply-to: <CAKDKvuwe8_nZkPH-RhaRjxapfvgDVThiSxteZ+SoC9Lx+WCQ5g@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <CAKDKvuwe8_nZkPH-RhaRjxapfvgDVThiSxteZ+SoC9Lx+WCQ5g@xxxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

That was my bug report, thanks for the quick turnaround on that one :3

My problem was that my infrastructure, including that tor exit node,
is puppetized. But a problem with that resulted in dhcp  blitzing
/etc/resolv.conf and I kept putting in google dns out of sheer muscle
memory and I simply forgot to put it back.

It is pretty easy. This is the relevant configuration snippet from my
puppet manifest:

  # setup internal DNS cache / resolver

  include bind
  bind::server::conf { '/etc/bind/named.conf':
        directory               => '/etc/bind',
        listen_on_addr          => [ 'any' ],
        listen_on_v6_addr       => [ 'any' ],
        forwarders              => [ '2001:4860:4860::8844',
'2001:1608:10:25::1c04:b12f', '2600::1' ],
        allow_query             => [ 'any' ],
        statistics_file         => '/etc/bind/named.stats',
        recursion               => 'yes',
        extra_options           => {
                'forward'               => 'only',
                'auth-nxdomain'         => 'no',
        }
  }

+ some other symlinks to account for the fact this isn't a RHEL box
like the module implicitly assumes.

I even have DNSSEC query validation setup, as the forwarders seem to support it.

Now I have named caching again. For those who are unclear, it helps a
LOT. From rndc stats:

++ Cache Statistics ++
[View: default]
            53446329 cache hits
             5246190 cache misses
            15049168 cache hits (from query)
             3044495 cache misses (from query)

The exit node in question sits between 10 and 20mb/s continuously, and
goes through a crazy amount of traffic. Something like 50T last month.

I even threw on a squid proxy on regular http and that's caching
something like 5-10% of all requests and overall http bandwidth.

Where it gets interesting is now that I've moved all of my DNS traffic
into a native ipv6 stack (outside of v4 local queries), I can say that
all the udp traffic I get is not legitimate/requested.

Which is looking to be a lot of traffic.

I got dinged with a nice udp DDoS the other day, and now its' even
more clear about what traffic is bad on tcpdump.

On Thu, Jan 8, 2015 at 9:04 AM, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
> Hi, all!
>
> While looking into a bug report, I noticed that an exit node was using
> one of Google's well-known public DNS servers for its own DNS server.
>
> No disrespect to the operators of Google's fine public DNS service,
> but my sense is that using it for a Tor exit node might not be the
> greatest idea for users' privacy, having one DNS provider that gets to
> see so many requests.  It's probably a better idea to have your own
> local cacheing DNS server.
>
> Would anybody like to share a guide about how to set one of those up
> safely and migrate correctly?
>
> best wishes,
> --
> Nick
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Reminder: exit nodes probably shouldn't be using Google's DNS servers
  - From: Andreas Krey
- Re: [tor-relays] Reminder: don't run transparent proxies at exits
  - From: Nusenu

References:
- [tor-relays] Reminder: exit nodes probably shouldn't be using Google's DNS servers
  - From: Nick Mathewson

Prev by Author: Re: [tor-relays] weather torproject buggy?
Next by Author: Re: [tor-relays] Reminder: exit nodes probably shouldn't be using Google's DNS servers
Previous by thread: Re: [tor-relays] Reminder: exit nodes probably shouldn't be using Google's DNS servers
Next by thread: Re: [tor-relays] Reminder: exit nodes probably shouldn't be using Google's DNS servers
Index(es):
- Author
- Thread