I created a new diagram that illustrates the popularity of DNS resolvers used by exit relays. The diagram shows nine autonomous systems that hosted the most popular resolvers at some point over the last months. These autonomous systems are owned by Google, INIT7, LeaseWeb, Visual Online, OVH, OpenDNS, NForce Entertainment, Cyberdyne, and Level3. The x axis shows time and the y axis shows the fraction of DNS requests that the respective AS can observe: https://nymity.ch/dns-traffic-correlation/img/exit-resolvers-2015-05.png
The two most popular setups are Google's 8.8.8.8 and local resolvers, i.e., exit relays doing their own resolution. Occasionally, Google got to see more than 40% of all DNS requests exiting the Tor network. That is concerning, particularly given Google's role in the PRISM program. No other autonomous system is getting even close.
Please refrain from using 8.8.8.8. Instead, set up your own resolver, or at least use the one provided by your ISP. Here's Peter's quick guide on how to set up your own resolvers [1]:
On Thu, Jan 08, 2015 at 04:11:09PM +0100, Peter Palfrader wrote:
o apt-get install unbound o remove all nameserver entries in /etc/resolv.conf and add one for the local recursor. Either manually or use (untested): sed -i -e 's/^nameserver /#&/; $a nameserver 127.0.0.1' /etc/resolv.conf o prevent anything else from modifying that file ever again: chattr +i /etc/resolv.conf
Note that running your own resolver is not universally safer because the exposure of DNS requests to network adversaries is greater. It's a tricky trade-off that we are currently trying to understand better [2], but increased exposure to network-level adversaries seems less bad than having Google see almost half of all DNS requests.
If you are wondering how I created the above diagram, have a look at the measurement method [3].
[1] https://lists.torproject.org/pipermail/tor-relays/2015-January/006147.html [2] https://nymity.ch/dns-traffic-correlation/ [3] https://lists.torproject.org/pipermail/metrics-team/2016-February/000078.html
Cheers, Philipp
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 05/15/2016 08:37 PM, Philipp Winter wrote:
. Instead, set up your own resolver, or at least use the one provided by your ISP.
Just to double ensure, using a local dnsmasq is one of the possible solutions, right ?
- -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
On Sun, May 15, 2016 at 09:04:53PM +0200, Toralf Förster wrote:
On 05/15/2016 08:37 PM, Philipp Winter wrote:
. Instead, set up your own resolver, or at least use the one provided by your ISP.
Just to double ensure, using a local dnsmasq is one of the possible solutions, right ?
Dnsmasq is just a DNS forwarder, no? If so, it depends on where it forwards DNS requests to. It might just forward all its requests to Google.
Cheers, Philipp
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 05/16/2016 03:40 PM, Philipp Winter wrote:
Dnsmasq is just a DNS forwarder, no?
well, it has a cache too (but limited to 5000 entries as I learnt yesterday). It uses the resolver defined in /etc/rsolv.conf - which do point to my ISP DNS only. But yes, even with 5,000 liens in the cache I do have:
queries forwarded 143488, queries answered locally 29384
So it acts at a fast exit relay effectively rather as a forwarder than as a resolver.
- -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
Hey,
The package Unbound can be nice ? I'm using it on the LAN... My Unbound set up is using the root.hints, so I think it's always and only speaking with those root DNS servers... But I've read on some tutorials, ISP and others "men-in-the-middle" can intercept DNS queries, and answer to your server... so this solution can't be 100% secure, like any DNS solution. Here, Unbound is set up to speak only with root DNS servers:
apt-get install unbound cd /etc/unbound
-download the root.hints file: wget ftp://ftp.internic.net/domain/named.cache -O /etc/unbound/root.hints
-generate TLS keys (dnssec): unbound-control-setup
-change owner + rights : chown unbound:root unbound_* chmod 440 unbound_*
-add the line to use root.hints file: nano /etc/unbound/unbound.conf
root-hints: "/etc/unbound/root.hints"
-if you want to check your config file: unbound-checkconf /etc/unbound/unbound.conf
-verify in the /etc/resolv.conf file (already said, but always check another time!): nameserver 127.0.0.1
I hope this helps, and my configuration is ok?! And don't know if Unbound is ready for an exit node? (performance) I'm only using it on some little LAN without any issues.
Le 15/05/2016 20:37, Philipp Winter a écrit :
I created a new diagram that illustrates the popularity of DNS resolvers used by exit relays. The diagram shows nine autonomous systems that hosted the most popular resolvers at some point over the last months. These autonomous systems are owned by Google, INIT7, LeaseWeb, Visual Online, OVH, OpenDNS, NForce Entertainment, Cyberdyne, and Level3. The x axis shows time and the y axis shows the fraction of DNS requests that the respective AS can observe: https://nymity.ch/dns-traffic-correlation/img/exit-resolvers-2015-05.png
The two most popular setups are Google's 8.8.8.8 and local resolvers, i.e., exit relays doing their own resolution. Occasionally, Google got to see more than 40% of all DNS requests exiting the Tor network. That is concerning, particularly given Google's role in the PRISM program. No other autonomous system is getting even close.
Please refrain from using 8.8.8.8. Instead, set up your own resolver, or at least use the one provided by your ISP. Here's Peter's quick guide on how to set up your own resolvers [1]:
On Thu, Jan 08, 2015 at 04:11:09PM +0100, Peter Palfrader wrote:
o apt-get install unbound o remove all nameserver entries in /etc/resolv.conf and add one for the local recursor. Either manually or use (untested): sed -i -e 's/^nameserver /#&/; $a nameserver 127.0.0.1' /etc/resolv.conf o prevent anything else from modifying that file ever again: chattr +i /etc/resolv.conf
Note that running your own resolver is not universally safer because the exposure of DNS requests to network adversaries is greater. It's a tricky trade-off that we are currently trying to understand better [2], but increased exposure to network-level adversaries seems less bad than having Google see almost half of all DNS requests.
If you are wondering how I created the above diagram, have a look at the measurement method [3].
[1] https://lists.torproject.org/pipermail/tor-relays/2015-January/006147.html [2] https://nymity.ch/dns-traffic-correlation/ [3] https://lists.torproject.org/pipermail/metrics-team/2016-February/000078.html
Cheers, Philipp _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 05/16/2016 05:11 PM, Petrusko wrote:
But I've read on some tutorials, ISP and others "men-in-the-middle" can intercept DNS queries, and answer to your server... so this solution can't be 100% secure, like any DNS solution.
Not if you're using DNSSEC, but querying DNS root servers is slow. https://www.dnscrypt.org/ can also be useful for preventing interception.
Nice software. But you have to trust the public/open DNSCrypt resolvers ? Or may be it's possible to build your own resolver, but it has to resolve DNS queries with DNS roots servers, or another DNS resolver you will trust? Humm, the cat chasing its tail
Le 17/05/2016 01:51, Jesse V a écrit :
On 05/16/2016 05:11 PM, Petrusko wrote:
But I've read on some tutorials, ISP and others "men-in-the-middle" can intercept DNS queries, and answer to your server... so this solution can't be 100% secure, like any DNS solution.
Not if you're using DNSSEC, but querying DNS root servers is slow. https://www.dnscrypt.org/ can also be useful for preventing interception.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Tue, 17 May 2016 10:20:24 +0200 Petrusko petrusko@riseup.net wrote:
Or may be it's possible to build your own resolver, but it has to resolve DNS queries with DNS roots servers, or another DNS resolver you will trust?
That's easy enough to do. You can set up BIND, DJBDNS, MaraDNS, or what have you as a resolver, make sure that it's notion of the root DNSes is up to date (easy enough to do with a shell script), and set your /etc/resolv.conf file to point to 127.0.0.1.
- -- The Doctor [412/724/301/703/415] [ZS]
PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/
IHOP: The world's largest, most popular goth club.
On Tue, 17 May 2016 10:20:24 +0200 Petrusko petrusko@riseup.net wrote:
Or may be it's possible to build your own resolver, but it has to resolve DNS queries with DNS roots servers, or another DNS resolver you will trust?
A suggestion from my side would be to use the roots of orsn ( https://www.orsn.org/en/ ) instead of the "official" ones. I personally have good experiences with them since 2013.
Best regards! F
phw released some scan data.
If you run an exit and find your relay fingerprint next to a Google AS name on the list linked below you might want to change your DNS server settings.
Note this list is based on data from May 2016 (so it does not necessarily represent the current situation).
https://gist.githubusercontent.com/nusenu/3b346031a88fb24d0e8b662f3e13697e/r...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 07/28/2016 07:50 PM, nusenu wrote:
If you run an exit and find your relay fingerprint next to a Google AS
If only a subset from the whole list is meant it would be helpful to provide an appropriate subset of that file for the purpose of this email (topic) IMO.
- -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
I really wish VPS services wouldn't use Google DNS by default. If not for this e-mail, I would have been on Google's DNS for a while before I found out.
Maybe the Tor devs could add a warning if an exit is using Google DNS? Would that be acceptable?
On Thu, Jul 28, 2016 at 12:59 PM, Toralf Förster toralf.foerster@gmx.de wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 07/28/2016 07:50 PM, nusenu wrote:
If you run an exit and find your relay fingerprint next to a Google AS
If only a subset from the whole list is meant it would be helpful to provide an appropriate subset of that file for the purpose of this email (topic) IMO.
Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iF4EAREIAAYFAleaSA4ACgkQxOrN3gB26U594wD+PP/E9d5yh35mbcP6b72jFFgx THk4+5tznWPW8JQmYw4BAIY7B8q6435LSlm8Z0KpdQiz6v2eVnG5R5nFqZnQsduV =jefL -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Thu, Jul 28, 2016 at 2:34 PM, Tristan supersluether@gmail.com wrote:
I really wish VPS services wouldn't use Google DNS by default. If not for this e-mail, I would have been on Google's DNS for a while before I found out.
I actually haven't seen that before, what VPS provider do you use?
----------------------------------------------------------------------------------------------- -ITG (ITechGeek) | ITG@ITechGeek.Com https://itg.nu/ https://keybase.io/itechgeek | https://itg.nu/ Google Voice: +1-703-493-0128 / Twitter: ITechGeek / Facebook: http://fb.me/Jbwa.Net
Right now I'm using Digital Ocean, but my previous provider experiences Hostwinds and Pulse (OVH) also have Google DNS as the default.
On Thu, Jul 28, 2016 at 1:50 PM, ITechGeek ITG@itechgeek.com wrote:
On Thu, Jul 28, 2016 at 2:34 PM, Tristan supersluether@gmail.com wrote:
I really wish VPS services wouldn't use Google DNS by default. If not for this e-mail, I would have been on Google's DNS for a while before I found out.
I actually haven't seen that before, what VPS provider do you use?
-ITG (ITechGeek) | ITG@ITechGeek.Com https://itg.nu/ https://keybase.io/itechgeek | https://itg.nu/ Google Voice: +1-703-493-0128 / Twitter: ITechGeek / Facebook: http://fb.me/Jbwa.Net
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On July 28, 2016 2:50:40 PM EDT, ITechGeek ITG@itechgeek.com wrote:
On Thu, Jul 28, 2016 at 2:34 PM, Tristan supersluether@gmail.com wrote:
I really wish VPS services wouldn't use Google DNS by default. If not
for
this e-mail, I would have been on Google's DNS for a while before I
found
out.
I actually haven't seen that before, what VPS provider do you use?
Many, many of the super-cheap low end VPS providers (e.g. lowendbox.com) just use Google DNS. Most of these providers are very tor-intolerant, however, and will terminate your server at the first abuse notice.
--Sean
Pulse (OVH) is already over-used in the Tor network, and very tolerant. Hostwinds seemed to be fine with it as long as I responded to abuses quickly. I haven't gotten any abuse on DigitalOcean yet, but they are very clear that YOU are responsible for any and all abuses. Not sure how far they'll go before they terminate you.
On Fri, Jul 29, 2016 at 11:04 AM, Sean Greenslade sean@seangreenslade.com wrote:
On July 28, 2016 2:50:40 PM EDT, ITechGeek ITG@itechgeek.com wrote:
On Thu, Jul 28, 2016 at 2:34 PM, Tristan supersluether@gmail.com wrote:
I really wish VPS services wouldn't use Google DNS by default. If not
for
this e-mail, I would have been on Google's DNS for a while before I
found
out.
I actually haven't seen that before, what VPS provider do you use?
Many, many of the super-cheap low end VPS providers (e.g. lowendbox.com) just use Google DNS. Most of these providers are very tor-intolerant, however, and will terminate your server at the first abuse notice.
--Sean
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
cyb3rwr3ck -
ITechGeek -
Jesse V -
nusenu -
Petrusko -
Philipp Winter -
Sean Greenslade -
The Doctor -
Toralf Förster -
Tristan