That was my bug report, thanks for the quick turnaround on that one :3
My problem was that my infrastructure, including that tor exit node, is puppetized. But a problem with that resulted in dhcp blitzing /etc/resolv.conf and I kept putting in google dns out of sheer muscle memory and I simply forgot to put it back.
It is pretty easy. This is the relevant configuration snippet from my puppet manifest:
# setup internal DNS cache / resolver
include bind bind::server::conf { '/etc/bind/named.conf': directory => '/etc/bind', listen_on_addr => [ 'any' ], listen_on_v6_addr => [ 'any' ], forwarders => [ '2001:4860:4860::8844', '2001:1608:10:25::1c04:b12f', '2600::1' ], allow_query => [ 'any' ], statistics_file => '/etc/bind/named.stats', recursion => 'yes', extra_options => { 'forward' => 'only', 'auth-nxdomain' => 'no', } }
+ some other symlinks to account for the fact this isn't a RHEL box like the module implicitly assumes.
I even have DNSSEC query validation setup, as the forwarders seem to support it.
Now I have named caching again. For those who are unclear, it helps a LOT. From rndc stats:
++ Cache Statistics ++ [View: default] 53446329 cache hits 5246190 cache misses 15049168 cache hits (from query) 3044495 cache misses (from query)
The exit node in question sits between 10 and 20mb/s continuously, and goes through a crazy amount of traffic. Something like 50T last month.
I even threw on a squid proxy on regular http and that's caching something like 5-10% of all requests and overall http bandwidth.
Where it gets interesting is now that I've moved all of my DNS traffic into a native ipv6 stack (outside of v4 local queries), I can say that all the udp traffic I get is not legitimate/requested.
Which is looking to be a lot of traffic.
I got dinged with a nice udp DDoS the other day, and now its' even more clear about what traffic is bad on tcpdump.
On Thu, Jan 8, 2015 at 9:04 AM, Nick Mathewson nickm@freehaven.net wrote:
Hi, all!
While looking into a bug report, I noticed that an exit node was using one of Google's well-known public DNS servers for its own DNS server.
No disrespect to the operators of Google's fine public DNS service, but my sense is that using it for a Tor exit node might not be the greatest idea for users' privacy, having one DNS provider that gets to see so many requests. It's probably a better idea to have your own local cacheing DNS server.
Would anybody like to share a guide about how to set one of those up safely and migrate correctly?
best wishes,
Nick _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays