[tor-bugs] #19769 [Core Tor/Tor]: Round down DNS TTL to the nearest DEFAULT_DNS_TTL (30 minutes)

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Dec 25 23:25:33 UTC 2016


#19769: Round down DNS TTL to the nearest DEFAULT_DNS_TTL (30 minutes)
-------------------------------------------------+-------------------------
 Reporter:  teor                                 |          Owner:
     Type:  defect                               |         Status:
                                                 |  needs_information
 Priority:  Very High                            |      Milestone:  Tor:
                                                 |  0.3.0.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  029-proposed, dns,                   |  Actual Points:
  TorCoreTeam201609                              |
Parent ID:                                       |         Points:  0.5
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by nicoo):

 Since pulls asked for feedback from exit operators, here is some based on
 my experience with [https://nos-oignons.net/ Nos oignons].

 Our configuration is [https://nos-oignons.net/wiki-
 admin/Services/DNS/Resolver/ publicly documented], but in French, so here
 is a summary:

 * We use Unbound as a local, DNSSEC-validating resolver on the exit nodes.
   * It obviously only listens locally.
   * We use its `private-address` feature to prevent RFC1918 addresses from
 figuring in results, to mitigate DNS rebinding attacks.
   * We use `hide-{identity,version}`, mostly out of general principle:
 anybody reading our documentation would learn that we run Unbound;
 however, it's unclear to me whether those could be exploited to tie users
 to specific exits being used for DNS resolution (and if that's relevant).
   * We use `harden-short-bufsize` and `harden-large-queries` to make
 Unbound return `SERVFAIL` on edge cases that can be exploited for DoSing
 the resolver.
   * We forward queries for `nos-oignons.{net,org,fr}` directly to our
 authoritative resolver.  This is not especially relevant for the exit, but
 error logs mails and so on will break if the domain fails to resolve.
 * `/etc/resolv.conf` always specifies `search nos-oignons.net` (does
 little-t tor honor that?  that could be awkward) and `127.0.0.1` as the
 first nameserver.
   If a fallback resolver is specified, it is either operated by the
 network hosting the exit node or by a close-by (network-wise) organization
 we have friendly ties to (typically, a non-profit, associative ISP).

 While writing this, I'm realising it might be useful to have “DNS
 resolution best-practices” for exit operators, since this is mostly
 something ''adhoc'' we came up with based on what our sysadmins were doing
 in other places, not something we systematically researched.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19769#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list