ip-port.torhosts.nighteffect.us and exim
Joseph B. Kowalski
jbk at hush.ai
Thu Apr 26 16:58:35 UTC 2007
On Thu, 26 Apr 2007 08:45:39 -0700 Mike Cardwell
<tor at lists.grepular.com> wrote:
>I've been looking into how to use this with Exim4. I just thought
>I'd
>share it here for the benefit of the archives.
>
>warn dnslists =
>$interface_port.${sg{$interface_address}{\N^(\d+)\.(\d+)\.(\d+)\.(\
>d+)$\N}{\$4\.\$3\.\$2\.\$1}}.ip-port.torhosts.nighteffect.us
> log_message = This connection is coming from a tor node that
>allows exiting to this ip/port combination
>
>The ACL simply logs the connection, it doesn't perform a
>rejection, or
>adding a header to the message or anything else. That part is left
>to
>the reader or the exim users mailing list.
>
>It was made slightly more difficult to use by the fact that I had
>to
>reverse the 4 octets of the IP address of the host being connected
>to. I
>understand why this was done though and agree with it.
>
>Just out of interest, why do lookups that return positive results
>take
>such a long time? This is what I typically get:
>
>server:~# time host 20.136.234.85.109.123.123.123.123.ip-
>port.torhosts.nighteffect.us
>20.136.234.85.109.123.123.123.123.ip-port.torhosts.nighteffect.us
>has address 127.0.0.2
>Host 20.136.234.85.109.123.123.123.123.ip-
>port.torhosts.nighteffect.us not found: 2(SERVFAIL)
>Host 20.136.234.85.109.123.123.123.123.ip-
>port.torhosts.nighteffect.us not found: 2(SERVFAIL)
>
>real 0m23.451s
>user 0m0.030s
>sys 0m0.010s
>
>The first line of response is pretty quick, then there are long
>delays
>before each SERVFAIL...
>
>If the lookup returns an NXDOMAIN, there are no SERVFAILS so the
>lookups
>are much faster. I'm not a DNS expert so I'm not sure what is
>happening
>that causes the SERVFAIL's...
>
Hi Mike,
There are a couple of things going on here. First, the reason why
you see the first line returned from the 'host' command as
successful, followed by two 'SERVFAIL' lines is that the 'host'
command, by default, sends an 'A' request followed by an 'AAAA'
(IPv6 Lookup) and 'MX' (Mail Exchanger) request. The DNSEL server
only supports 'A' requests, and so in the case of the second and
third queries, the DNSEL server is actually returning a 'NOTIMP'
(Not Implemented) error message, and your local upstream DNS server
is returning that to you as a 'SERVFAIL' error message. If you run
the 'host' command with the "Type" flag set, you can prevent 'host'
from sending the 'AAAA' and 'MX' requests altogether, eliminating
the two error lines. For example, your query could be:
time host -t A 20.136.234.85.109.123.123.123.123.ip-
port.torhosts.nighteffect.us
Second, to address the speed issue, it's likely that your local
upstream DNS server has some method of operation that really slows
things down when there is an error returned from the DNSEL server,
like the two 'NOTIMP' messages I described above. It may be
retrying those same 'AAAA' and 'MX' requests several times before
returning the 'SERVFAIL' message to you, holding things up a bit.
So, the good news is, the speed issue is probably already gone just
by you using the "Type" flag with the 'host' command, like I
discussed above. Personally, I know there is no extra delay from
the DNSEL server when it's returning a 'SERVFAIL', 'NOTIMP', or
'NXDOMAIN' message, as opposed to a successful lookup.
If necessary, for troubleshooting, you can easily see where the
delay is occuring by taking your upstream DNS provider out of the
loop temporarily by telling the 'host' command to talk to the DNSEL
server directly. So, you could do this (If you still wanted it to
do the 'A', 'AAAA', and 'MX' requests:
time host 20.136.234.85.109.123.123.123.123.ip-
port.torhosts.nighteffect.us 216.55.190.201
Or do this (To exclude the 'AAAA' and 'MX' requests):
time host -t A 20.136.234.85.109.123.123.123.123.ip-
port.torhosts.nighteffect.us 216.55.190.201
This will let you see the real speed that the DNSEL server is
responding with.
Please let me know if you have any other questions. I hope that
helped!
Best regards,
Joe Kowalski
More information about the tor-talk
mailing list