[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] debugging unbound on 'torexit' failing DNS queries

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] debugging unbound on 'torexit' failing DNS queries
From: Quintin <tor-admin@portaltodark.world>
Date: Sat, 20 Jan 2018 20:00:18 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 20 Jan 2018 15:00:52 -0500
In-reply-to: <6eea237a-07f5-f855-10c5-02f5faaee716@riseup.net>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <6b6c355f-dffb-26eb-5135-814d4a7e3d6e@riseup.net> <CACKQKwOVxc8np+d_CasiRGiRVAcsi2+FP=Yx6BVfOUVaVhSi0g@mail.gmail.com> <8a7ad7ad-cc65-23bf-edce-147306f72c81@riseup.net> <CACKQKwOCfLYpjwQoQ4GgCnoujw4LV4kKeH2gW7Xuj1mitaUxiA@mail.gmail.com> <26092435-5a5e-14df-3b6c-98290b6f280b@riseup.net> <CACKQKwNYi4sFHb=_6qTMDSntSRCm8JGt-kAtHPdgxMeDxbRGqA@mail.gmail.com> <6e3414ab-12ef-20ba-9a79-2579a5285436@riseup.net> <CACKQKwNOeoUgR7DmVmgRgA6hwQu-NP0RQQ2cA2+1sh8NeTaCJg@mail.gmail.com> <6eea237a-07f5-f855-10c5-02f5faaee716@riseup.net>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Ah, thats it. My conntrack entries are full and temporarily increasing it resolves the problem.

What would be a reasonable conntrack limit for a tor exit?

On Thu, Jan 18, 2018 at 10:45 PM nusenu <nusenu-lists@xxxxxxxxxx> wrote:

Quintin:
>> Do you reach your server's conntrack limit?
>
> The word conntrack never appears in my logs, so I don't think it's that.
> The ISP also requires this from tor exits: net.netfilter.nf_conntrack_max =
> 10000

How many conntrack entries do you actually have when you get
sendto failed: Operation not permitted
log entries?

sysctl net.netfilter.nf_conntrack_count
or
cat /proc/sys/net/netfilter/nf_conntrack_count

Regardless of whether this is the root-cause or not,
nf_conntrack_max = 10k is probably to low for an exit relay.

If nf_conntrack_count is near nf_conntrack_max, does the problem
go away when you temporarily increase nf_conntrack_max?

--
https://mastodon.social/@nusenu
twitter: @nusenu_

0101100101000001010010000101011101000101010010000010000001000010

0100110001000101010100110101001100100000010110010100111101010101

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] debugging unbound on 'torexit' failing DNS queries (solved)
  - From: nusenu

References:
- Re: [tor-relays] Assigning BadExit to Exits failing to resolve hostnames starting on 2018-01-15
  - From: nusenu
- [tor-relays] debugging unbound on 'torexit' failing DNS queries
  - From: nusenu
- Re: [tor-relays] debugging unbound on 'torexit' failing DNS queries
  - From: Quintin
- Re: [tor-relays] debugging unbound on 'torexit' failing DNS queries
  - From: nusenu
- Re: [tor-relays] debugging unbound on 'torexit' failing DNS queries
  - From: Quintin
- Re: [tor-relays] debugging unbound on 'torexit' failing DNS queries
  - From: nusenu

Prev by Author: Re: [tor-relays] tor on arm vps
Next by Author: [tor-relays] tor on arm vps
Previous by thread: Re: [tor-relays] debugging unbound on 'torexit' failing DNS queries
Next by thread: Re: [tor-relays] debugging unbound on 'torexit' failing DNS queries (solved)
Index(es):
- Author
- Thread