[tor-bugs] #8608 [Ooni]: discuss deployment of oonib's dns_helper service
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Mar 29 21:02:01 UTC 2013
#8608: discuss deployment of oonib's dns_helper service
------------------------------------+---------------------------------------
Reporter: aagbsn | Owner: hellais
Type: task | Status: new
Priority: normal | Milestone:
Component: Ooni | Version:
Keywords: oonib, dns_helper, dns | Parent:
Points: | Actualpoints:
------------------------------------+---------------------------------------
OONI Backend (oonib) provides a dns_helper service that responds to
queries on port 53 udp/tcp.
Unfortunately, the service is abused; whenever the helper is running it is
being bombarded with queries from (presumably spoofed) addresses. This is
a known problem with running an open recursive resolver. How can we
mitigate the abuse of this service?
One possibility is to launch the dns_helper service on demand for specific
OONI tests. A problem with this approach is that a client cannot use the
test helper unless it also creates a report with the associated collector
(which currently also requires a working Tor).
Another possibility is to implement rate-limiting, which would reduce the
amount of abuse. A problem with this approach is that ooni-probe clients
may see an increase in resolution failures. We don't currently dynamically
adjust ooni-probe's request rate, though this is a desired feature.
And another item to consider is how DNS resolution is performed on oonib.
Presently, it forwards requests to an upstream resolver (by default,
google public DNS), which might cause problems given the volume of DNS
requests seen. We should consider deploying our own DNS resolver locally
or near each collector.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8608>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list