[metrics-team] Exit relays' DNS resolvers over time
nusenu
nusenu at openmailbox.org
Tue Feb 23 23:55:36 UTC 2016
Philipp Winter:
> I've been using exitmap to enumerate what DNS resolvers are used by exit
> relays over time. The idea is simple: I resolve an exit relay-specific
> domain under my control over all exit relays, and then look out for
> incoming DNS requests from my authoritative DNS server. That allows me
> to map an exit relay to the IP address of a DNS resolver. Here is a
> diagram that visualises preliminary results that cover several months:
> <https://nymity.ch/dns-traffic-correlation/img/top-exit-resolvers.png>
>
> The diagram shows a time series, one data point a day, of the top four
> DNS resolvers of the Tor network. The numbers are weighted by exit
> bandwidth.
>
> Google is the most popular DNS resolver. Today, Google gets to see
> around 25% of all DNS requests exiting the Tor network. That is
> concerning; in particular because they also get to see ingress traffic
> of meek users that use App Engine. After Google, local resolvers are
> the most popular. I classify a resolver as "local" if the DNS
> resolver's IP address is identical to the exit relay's IP address.
> Finally, we have OVH and OpenDNS. OVH isn't particularly surprising
> given that they are the most popular exit AS, currently controlling 11%
> of exit capacity. Aside from these top four resolvers, the distribution
> has a long tail, presumably because many exit relays use their ISP's
> resolver.
>
> Finally, beware of easy conclusions. First, this analysis doesn't tell
> us anything about caching. Exit relays cache DNS records, which limits
> exposure to the DNS resolver. Also, some exit relays are multi-homed,
> which isn't reflected in these numbers. Perhaps counterintuitively, it
> is not clear that local resolvers are *always* the best choice.
> Recursive resolvers traverse many autonomous systems when resolving a
> domain name, which exposes Tor users' DNS requests, and their
> corresponding responses, to network-level adversaries. We talk a little
> bit about these issues here:
> <https://nymity.ch/dns-traffic-correlation/>
Interesting (as usual), thanks!
Can we also find a csv with the exit->dns server mapping somewhere?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/metrics-team/attachments/20160223/bdcc9390/attachment.sig>
More information about the metrics-team
mailing list