My VPS hoster has configured DNS as follows:
$ cat /etc/resolv.conf nameserver 8.8.8.8 nameserver 8.8.4.4
I believe these are Google's DNS servers. Unfortunately, they are somehow unreliable (possible rate-limited by Google). My tor logs are filled with:
Sep 07 16:37:24.000 [warn] eventdns: All nameservers have failed Sep 07 16:37:25.000 [notice] eventdns: Nameserver 8.8.8.8:53 is back up Sep 07 16:37:35.000 [warn] eventdns: All nameservers have failed Sep 07 16:37:35.000 [notice] eventdns: Nameserver 8.8.4.4:53 is back up
Are there other free, open DNS services that might be more reliable/less rate-limited?
Does Tor use the system DNS configuration? In other words, if I would run a local Bind daemon, would my tor exit use it? Is that bad for the safety of the tor user, as the Bind daemon effectively becomes an audit log of all domains visited by tor users?
// Yoriz
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Take a look at the www.opennicproject.org
Yoriz tor@privshield.com schrieb:
My VPS hoster has configured DNS as follows:
$ cat /etc/resolv.conf nameserver 8.8.8.8 nameserver 8.8.4.4
I believe these are Google's DNS servers. Unfortunately, they are somehow unreliable (possible rate-limited by Google). My tor logs are filled with:
Sep 07 16:37:24.000 [warn] eventdns: All nameservers have failed Sep 07 16:37:25.000 [notice] eventdns: Nameserver 8.8.8.8:53 is back up Sep 07 16:37:35.000 [warn] eventdns: All nameservers have failed Sep 07 16:37:35.000 [notice] eventdns: Nameserver 8.8.4.4:53 is back up
Are there other free, open DNS services that might be more reliable/less rate-limited?
Does Tor use the system DNS configuration? In other words, if I would run a local Bind daemon, would my tor exit use it? Is that bad for the safety of the tor user, as the Bind daemon effectively becomes an audit log of all domains visited by tor users?
// Yoriz
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
- -- We don't bubble you, we don't spoof you ;) Keep your data encrypted! Log you soon, your Admin elrippo@elrippoisland.net
Encrypted messages are welcome.
- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.11 (GNU/Linux)
mQINBFH797MBEAC0Y0NeI7lmDR9szTEcWuHuRe0r/WjSRC0Nr5nXsghuMcxpJ3Dd BOBimi4hdMMK4iqPVMwNw6GpKYR3A9LHHjbYRXHUKrJmB+BaJVyzJXN5H6XvxTTb UfX+DaXAGJW/G+3cBB3qm/QaU8QGkBKfXq0DLTaTGPkGKxEAldj/8onGZhawdJs+ B92JrW+S2HDh15pIuXzSqe7eCcIOdvvwfWe0fJi2AraA7LYGpxP6GcC/b9JJpbq5 Y6DfE2Aun9ZK3iHqURyrms0Whbv1CgmUahL2MVYCsTsXwe0GwlAxxKvjXAiXuo+R 9wO5wsXvVVSVNqsk9Yqi+wYzdPKndTU0GyxSApQHroF+cxaZ8Lk0xloj18+LdCSs e5IiTSXH0MMsDdWWdHlrgk+bgDG+0Gu3ne4vMwGdKO7AhYgQW/ueMy4RnkG/nsV9 jry5BO4gGAI1Ij8KvqUzEnvJFGE3ptJogU+zazWWDUWmL3ecKb3aDRlJFnZ3kJ5h q8GolZVjpk99V+4B5WVRPXdej/p5J19tXycK/jdNmr4oC8NyUhIpe8xHELnfoB4z +rxiTx+KMnW0rY8EQg8O2ixEYt5my90IwQkxcxIxextVrqjJjYn8extc2/v8yGzI KmTEJxdADB5v/Jx4HiLHNDSfBUb8gfONCkNSTYvTcSwTjWzHOkXeE/9ZbQARAQAB tD5lbHJpcHBvIChrZWVwIHlvdXIgZGF0YSBlbmNyeXB0ZWQpIDxlbHJpcHBvQGVs cmlwcG9pc2xhbmQubmV0PokCOAQTAQIAIgUCUfv3swIbLwYLCQgHAwIGFQgCCQoL BBYCAwECHgECF4AACgkQhN8ffmrgNkT8+BAAoAXBqu4/O2Cs5FSWWZpzgScNEgq7 uHhOKeYmRfgKlOUPoYlPB1DBqdOAXSKb9OvsmyOvpoGnqijB7aAJBoyQYW/OCQgd U8L4eTCf4yRZnfFLdgskcPfN1p0Rs/yinGEooBJFtYa7mT6J0UTW2JjCLZK2AFCW oF+KBu5JICXGBXigb2ZbX1jWjxP5H1RidQw6HF5z4z34SjLWAOOeZ8B/Xfz6Fs0s IAuLu2O4HE4DI8Qu196LhSVHHgr3uMTkvN1t5nKwyjrRQztwXXk9qIomII3ydNYb BYAGdWNNMfLb1kmDwC5wQHAFvSP1aiMF3aKAY+gl2wXSGO6JqM0SteJS3dytIljI kzu0atc9HuGs/HDQgdmpAS4WU2YefEr/WieltSiAKlwuC+3wg+CONJ6TE1vgNDU/ axerttb0jq7UQb/nAp05bsrB7XH1Vs+1ON9lUPEfWRmwQcrVK5JUrUWa/4tA/UeM XvFcPFtFluGTlLewgJIqcvjPXFwpbDZprXJsMkwew/A6B6n3+0sbgf7p3QSGkVbi dwQAymTbHdYqLnbcnKZhjto3Wjw1J5QB2wuiRYlpjV3i7AWTGlqoSTOWCCV+HamQ qeFYNYAWNFx3+J/oi7xDi8t9bHVNA205equ+y2sj3G5uGJ6LSHQ8AXp9uOipUUvU 1MJN0yLXr9PIwvi5Ag0EUfv3swEQAL0+MnxHGrTjSYdfdua4SBpmytDONM1EngeY s+WyaC/760MughKbaysI/nK2LB1vnwEY7f3NM4fxBx8u2T7VBm6Ez6Fs23Bb8Rkz f97bPSdxCmg64GPHfLA9uwTIXcYS+MpI86WOf6eWY0rRpf7Y9Nl7YoUNvzOyUPqc ggdcnHce8zYv7A/WS8flZDm8tVFPsHrQDEwNMws7ZhiNnHkeZeRJrvCuB7oEVich O/ROYoA5o6NozWYQbjxe1f6Yur4Q10qgVcxVnyLFJSbg6vZSzL7KYh3Z5iBOzPHt 7cwEDrW8W4Kl2Qj8rhJ4Wxs94CAtua7IXK44sVZWQbyHcOXRikgGMZKkEZzVCQa5 KD1u1ZrcBCyuMAir0hsmS3jhCUwpiE2c3SRk8O8CgixhTcBk0X/k9ZFu3Hbi1JMB FLzs/Nq3tYAYvVivhPloSxmYBPsafYHCZM83yBNNsralXh5zjB+di90G+AMXt2PN LTcdovZuWtC0s8/jrx+zv/AA4FAGYU9OVl+YL9ybFX8gSdMEcixyzQcKfiFBjpWv 5iFrwIuDlaXMcheyrhc9aGOxfx44OXc505+VjO/1Q/8EOWlJ6UwOi6GMkj5T+RFJ MDyP0UixS7dt6wTuD5t6PRuyWWxZswgrbL9hjwGFr154Z19TWeNWc23pWtUvQJos UCxl2nFHABEBAAGJBD4EGAECAAkFAlH797MCGy4CKQkQhN8ffmrgNkTBXSAEGQEC AAYFAlH797MACgkQJEPd69lQ0evA+Q/+M7lSFlrQWiRsFqDjh+kTJc+0OEBCvnfo N2KPyXXbfc//qup55PfEygE6C60zvrlv3WE33GZ5GS5MLuDMP82b+a5Yt16NQU7L WtAg1g0S0BvazW+28TgnfO8bhbGaFeE9ccw3xLmlbwZQ3f3LtMKdwFIROiG6hvAs 9U54QYti3tv9DowRYYWpdr0Ga8RqeGNtCKc0v2opy51MpzKWjwUW0i3XlSlyY8Lj 1KT8PyznNPw32nYpmDizz+0OUJNnn/kT+GnFoR3DJnFosTOrnxFJp+N+nejMp/gW r9NM0/E7H+P53IiytBOt5/0vsOaCFGdYGhKEjmJi3dHS4Xk1ObD1mjdD1YDOlWWU 3Md6BDHd4W7Q8gT7oQfTIMLd3HzV+WNPIdocPLBaeA/tRD8Pg5CCmncAmSub4F5T An7FlnACtSOv3cIWQ0TymS42DihDaJ5d1RvNzKw+zHYdPvf471JFZR3TDhkPbLIr 9czR7kbpnXRwchgwXQn306NVWf37TgA8wpbnFTazZ38iOeqcb9oKprqnbgEdr3PN OhKSlMTkzAqf3MEi2Fyua4BADMhS3oBwCRgDTlt6wquEytpNSlZaHnyiyIgOpekF Uy5K3w8NhHqeifRPrNb/UcCbXtXz+puqIEZHMenpv6FRlTTKpdoHoVXSkp1TPMGN /VaCiLbP4Z3xEw/9EbAJJkhmmx1Qw3ueoqc4h1MmhUtIdxSZ/oA9SjwlnY++zvaZ 6w1wTS4P+OUkETNDtItdpxXMJ9qfSy9voAQc2K43WMZCCmpPJYSdqaZZNPFj+Ne8 6FNtNKuUkXREybpHwlVAXnHzInmFOOM9RAmF70r3zEmKt77W1ztBLo2o9X79gPgL u9ThgrH6Oc2k46n+9nc3joccr7miiX/bp976DNWcWdOYThiSSOCb8Zw9/Zs935i1 wUVkYTj24tmBH4H5ov9ib7RPmU21ru458RbUKG0ONAqBtAHNyXHzUnXsrke+D4VW MI06YcXSk8YeYgQ8GxgHQc+W2bb8LIbKN1hEYJ0wzM62vKR2/Oiwuf8lXutIKTuz +v7Vj1PQd66DGHsxtWRaWnr1c54JTL2wICHJYKFH4grp7864+GL/uQ1O/Z/XxVku E1JQ/AnwBGU1M1S6otwWGWVRjzEzQtxsfcCEPvV/9td3FIFQAbGTPb+48XFU+TY9 8AlcXBlDzXq7c5f8Evn/oSIsZDt63K4HNTmMGqOTl/p1aA0e4eyX76LczY06rDP5 GMSNs+AHmYgZiS4RYhRUIvS9uLXMnnDAMYst0SDl2orDUUeHBTzu0rchyknBZMGP p5wQuWQ9CFlV+dj3UYbrBwC1lTkAMXRG2vlhA0V0TZqos7A5D4VHgSUQQjE= =otlL - -----END PGP PUBLIC KEY BLOCK-----
On Sat, 07 Sep 2013, Yoriz wrote:
Does Tor use the system DNS configuration? In other words, if I would run a local Bind daemon, would my tor exit use it? Is that bad for the safety of the tor user, as the Bind daemon effectively becomes an audit log of all domains visited by tor users?
Running a local bind or unbound is probably a smart thing to do, and if you put 127.0.0.1 into /etc/resolv.conf tor will use that.
Cheers,
On 13-09-07 02:55 PM, Peter Palfrader wrote:
On Sat, 07 Sep 2013, Yoriz wrote:
Does Tor use the system DNS configuration? In other words, if I would run a local Bind daemon, would my tor exit use it? Is that bad for the safety of the tor user, as the Bind daemon effectively becomes an audit log of all domains visited by tor users?
Running a local bind or unbound is probably a smart thing to do, and if you put 127.0.0.1 into /etc/resolv.conf tor will use that.
A local caching nameserver will improve performance of course. What are recommended policies to ensure the cache isnt useful to adversaries?
On Sep 7, 2013, at 20:55 , Peter Palfrader wrote:
Running a local bind or unbound is probably a smart thing to do, and if you put 127.0.0.1 into /etc/resolv.conf tor will use that.
I now have a local Bind9 running, but I still get a lot of these:
Sep 08 22:11:27.000 [warn] eventdns: All nameservers have failed Sep 08 22:11:27.000 [notice] eventdns: Nameserver 127.0.0.1:53 is back up Sep 08 22:15:39.000 [warn] eventdns: All nameservers have failed Sep 08 22:15:39.000 [notice] eventdns: Nameserver 127.0.0.1:53 is back up Sep 08 22:16:46.000 [warn] eventdns: All nameservers have failed Sep 08 22:16:46.000 [notice] eventdns: Nameserver 127.0.0.1:53 is back up
The /var/log/syslog contains a lot of these, but timestamps don't match with the outages reported by Tor (hostnames and IP addresses changed):
Sep 8 22:13:59 tor-exit named[11467]: lame server resolving 'www.example.hk' (in 'example.hk'?): 123.123.123.123#53 Sep 8 22:14:17 tor-exit named[11467]: error (connection refused) resolving 'www.example.com/A/IN': 123.123.123.123#53 Sep 8 22:14:18 tor-exit named[11467]: validating @0x123456789abc: www.example.com A: no valid signature found Sep 8 22:14:32 tor-exit named[11467]: error (unexpected RCODE REFUSED) resolving 'www.example.de/A/IN': 123.123.123.123#53
Any suggestions?
// Yoriz
Hi, If you run your own BIND/named as Authoritative DNS-Server, for some domain-name that you own, and if it is also configured to function as a Recursive DNS-Server for local software (in that computer), and if you have enabled DNSSEC (for recursive side), then that would be better, imho.
Such, Recursive DNS-Server will be slightly slow as DNS-Server itself doing query and getting results and responding to clients when a domain-name is queried for 1st time, but any 2nd time or later query for same domain-name, will be super fast, as DNS-Server will use cached/stored dns result to provide response. And DNSSEC authenticated results are very very very ACCURATE, comparatively much much more genuine/original. DNS-Server's cache will automatically expire/remove DNS-records, based on expiry time specified in TTL rdata value in each DNS-record. If TTL rdata is not specified, then such DNS-record will remain in cache for longer time.
Set your Recursive/caching DNS-Server portion in BIND to listen on 127.0.0.1:53, And set your machine's Network adapter's DNS-Server settings to use only 127.0.0.1 as your DNS-Server, then all local software can use your own DNS-Server, running on 127.0.0.1 ip-address.
Do not use remote DNS-Servers like Google DNS Servers, as they LOGs/RECORDs indefinitely. Using your own DNS-Server (mentioned above) is better than using any other's DNS-Server. You can use Google dns server only when you are using a VM (or physical machine) when you've configured it's (operating) system to obtain ALL dns results via going through Tor-network. Computer which uses Tor-client or Tor-server software, such machine should not use Google DNS, but connecting to Google DNS-Servers via Tor-network is ok, imho. If you do not use any Tor or any Anonymity related software, then using Google-DNS directly is somewhat ok, but still try to avoid, as they do not respect user's Privacy (a fundamental) rights.
If you must or want to specify remote DNS-Server, then see/find OpenNIC based DNS Servers, (opennic's website have feature to list dns-servers located in various areas and can also show result based on feature), read description, some will show they DO NOT LOG/RECORD, some will show they support DNSSEC, use such. You may also see info on other remote Recursive/Caching DNS-Servers from : OARC, CZ.NIC, Swiss Privacy Foundation, German Privacy Foundation e.V., etc. See ref [1].
If you configure your DNS-Server(s) to use TLS/SSL certificate based encryptions, or DNScrypt, (for connecting with one or set of remote DNS-Servers), (basically, as long as you are using some type of encryption for DNS query and result), then someone in the middle cannot see your open DNS packets, and cannot modify/alter it either.
If you use or will use remote DNS-Servers, then you should use encrypted connection to DNS-Servers, and you should connect to such via Tor-network (aka, anonymity supported network).
DNS2SSOCKS, socat, etc various tools can allow a machine to use remote DNS servers via Tor-network, (Tor network is accessed via SOCKS5 support/protocol).
"Unbound" (from NLnet Labs), a full DNSSEC supported DNS-Resolver software, (and also BIND from ISC), can be configured locally, to connect with DNS2SOCKS, socat, etc tools based tunnel and connect with remote DNS-Servers by going thru Tor-network. But your DNS query and result logs/records will remain in the hand of remote DNS server operators, unless they declared that they do not Log/Record and trust-worthy for that matter. Or alternatively, configure DNS server or resolver software to function as your OWN full Recursive/Caching DNS-Server. Then your own DNS query records/logs will remain with you.
Best is to turn off any logging/recording in BIND/unbound dns software, unless you are troubleshooting something.
You must Install and configure your DNS-Server or Resolver software to run from inside the Chroot/Jail environment.
-- Bright Star.
[1] https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver/PublicDnsResol...
Received from Yoriz, on 2013-09-07 11:47 AM:
My VPS hoster has configured DNS as follows:
$ cat /etc/resolv.conf nameserver 8.8.8.8 nameserver 8.8.4.4
I believe these are Google's DNS servers. Unfortunately, they are somehow unreliable (possible rate-limited by Google). My tor logs are filled with:
Sep 07 16:37:24.000 [warn] eventdns: All nameservers have failed Sep 07 16:37:25.000 [notice] eventdns: Nameserver 8.8.8.8:53 is back up Sep 07 16:37:35.000 [warn] eventdns: All nameservers have failed Sep 07 16:37:35.000 [notice] eventdns: Nameserver 8.8.4.4:53 is back up
Are there other free, open DNS services that might be more reliable/less rate-limited?
Does Tor use the system DNS configuration? In other words, if I would run a local Bind daemon, would my tor exit use it? Is that bad for the safety of the tor user, as the Bind daemon effectively becomes an audit log of all domains visited by tor users?
// Yoriz
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Tue, Sep 10, 2013 at 12:45:03AM -0700, Bry8 Star wrote:
If you run your own BIND/named as Authoritative DNS-Server, for some domain-name that you own, and if it is also configured to function as a Recursive DNS-Server for local software (in that computer), and if you have enabled DNSSEC (for recursive side), then that would be better, imho.
Speaking about recursive DNS for BIND, does anyone have a working set of options which limit recursive DNS queries to just the local subnet, and another couple IPs, maybe?
Hey.
Am 10.09.2013 10:14, schrieb Eugen Leitl:
Speaking about recursive DNS for BIND, does anyone have a working set of options which limit recursive DNS queries to just the local subnet, and another couple IPs, maybe?
options { allow-recursion { 192.168.0.0/24; }; };
http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch07.html#Access_Control_Lists
regards felix
Bright Star, thank you for your elaborate explanation!
On Sep 10, 2013, at 09:45 , Bry8 Star wrote:
Set your Recursive/caching DNS-Server portion in BIND to listen on 127.0.0.1:53, And set your machine's Network adapter's DNS-Server settings to use only 127.0.0.1 as your DNS-Server, then all local software can use your own DNS-Server, running on 127.0.0.1 ip-address.
That is how I have configured BIND now. I use the registrars' DNS server to resolve my exit nodes' name, so I don't have to expose port 53 publicly.
Best is to turn off any logging/recording in BIND/unbound dns software, unless you are troubleshooting something.
I have logging enabled because I am seeing a lot of these in /var/log/syslog:
Sep 8 22:13:59 tor-exit named[11467]: lame server resolving 'www.example.hk' (in 'example.hk'?): 123.123.123.123#53 Sep 8 22:14:17 tor-exit named[11467]: error (connection refused) resolving 'www.example.com/A/IN': 123.123.123.123#53 Sep 8 22:14:18 tor-exit named[11467]: validating @0x123456789abc: www.example.com A: no valid signature found Sep 8 22:14:32 tor-exit named[11467]: error (unexpected RCODE REFUSED) resolving 'www.example.de/A/IN': 123.123.123.123#53
Are that many errors to be expected when operating a Tor exit (and thus resolving a lot of unusual domainnames)? Once someone can reassure me this is "normal", I will disable logging.
Moreover, I noticed a lot of wierd upper/lowercase variants, like "wwW.eXAmPLe.CoM". Domainnames are case-insensitive, but the original spelling is forwarded through all resolvers, so this would enable adversaries to do some tracking/tracing if people have misconfigured their Tor client and suffer DNS leakage. May I suggest that Tor converts all domainnames to lowercase before trying to resolve them?
// Yoriz
tor-relays@lists.torproject.org
-
Bry8 Star -
Elrippo -
Eugen Leitl -
Felix Eckhofer -
krishna e bera -
Peter Palfrader -
Yoriz