[tor-bugs] #19769 [Core Tor/Tor]: Round down DNS TTL to the nearest DEFAULT_DNS_TTL (30 minutes)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Dec 25 23:25:33 UTC 2016
#19769: Round down DNS TTL to the nearest DEFAULT_DNS_TTL (30 minutes)
-------------------------------------------------+-------------------------
Reporter: teor | Owner:
Type: defect | Status:
| needs_information
Priority: Very High | Milestone: Tor:
| 0.3.0.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: 029-proposed, dns, | Actual Points:
TorCoreTeam201609 |
Parent ID: | Points: 0.5
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by nicoo):
Since pulls asked for feedback from exit operators, here is some based on
my experience with [https://nos-oignons.net/ Nos oignons].
Our configuration is [https://nos-oignons.net/wiki-
admin/Services/DNS/Resolver/ publicly documented], but in French, so here
is a summary:
* We use Unbound as a local, DNSSEC-validating resolver on the exit nodes.
* It obviously only listens locally.
* We use its `private-address` feature to prevent RFC1918 addresses from
figuring in results, to mitigate DNS rebinding attacks.
* We use `hide-{identity,version}`, mostly out of general principle:
anybody reading our documentation would learn that we run Unbound;
however, it's unclear to me whether those could be exploited to tie users
to specific exits being used for DNS resolution (and if that's relevant).
* We use `harden-short-bufsize` and `harden-large-queries` to make
Unbound return `SERVFAIL` on edge cases that can be exploited for DoSing
the resolver.
* We forward queries for `nos-oignons.{net,org,fr}` directly to our
authoritative resolver. This is not especially relevant for the exit, but
error logs mails and so on will break if the domain fails to resolve.
* `/etc/resolv.conf` always specifies `search nos-oignons.net` (does
little-t tor honor that? that could be awkward) and `127.0.0.1` as the
first nameserver.
If a fallback resolver is specified, it is either operated by the
network hosting the exit node or by a close-by (network-wise) organization
we have friendly ties to (typically, a non-profit, associative ISP).
While writing this, I'm realising it might be useful to have “DNS
resolution best-practices” for exit operators, since this is mostly
something ''adhoc'' we came up with based on what our sysadmins were doing
in other places, not something we systematically researched.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19769#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list