[tor-relays] Exit relays and DNS privacy

Hello.

I run several exit relays. I’m trying to keep them in diverse locations
(South Africa, Moldova, USA, and Canada so far, with none in any AS
that hosts more than 1% of network bandwidth). I’m using Unbound as a
local recursive DNS resolver so I don’t have to trust 3rd parties with
the DNS queries. But I can’t run Unbound on the same IP that exit
traffic goes through because some nameservers blacklist Tor, so I use a
second IP. With the price of IPv4s these days, this can inflate the
cost of a budget VPS by a significant percentage of its original cost.

Right now, Unbound is set up with prefetching and key prefetching
enabled, DNSSEC validation enabled, QNAME minimization, a large cache
and negative cache, and a local copy of the root zone (RFC 8806).

Would it be reasonable to dedicated a single, cheap VPS for DNS
queries, and have all my other exits use it as their resolver over DoT?
The way I see it, that has a few pros:

• By saving on IPv4 costs, I can run more relays.
• An attacker who can monitor the outgoing DNS traffic doesn’t know
  which relay it is coming from, as all relay DNS queries are mixed.
• By sharing a single cache, there will be more cache hits and less
  need to talk to nameservers and expose queries to them. In other
  words, a nameserver would only know “someone on one of forest’s
  relays looked up this site” rather than “someone on this particular
  relay looked up this site”.

But I can see there being a few cons as well:

• By sharing a single cache, “timeless timing attacks” may become worse
  because a single lookup will prime the cache of all of my relays.
• Due to their diverse geographical nature, some exits will have sub-
  optimal routes to the “master” resolver, which increases latency and
  allows more entities to know when and how many lookups my servers are
  making (although not what is being looked up, because of DoT).

So what should I do? Run a local recursive resolver on each exit? Set
up my own upstream resolver and point all my exits to it? Try to use the
ISP’s resolver and hope that they configure it well? Use some privacy-
friendly upstream resolver like dot.sb? Use a DNS resolver hosted by a
major exit operator, as suggested by Nothing To Hide in his blog post
Nothing to hide - Privacy infrastructure provider?

I would like advice on the best solution here.

Regards,
forest

Thank you for your reply.

DNS is a complex topic with many considerations, but I think you're on
the right track. Latency wise ideally you would find some location that
covers a lot of middle ground between the relays, as to prevent some
exit relays having a <20 ms DNS latency while others have >200 ms
latency. But your relays are spread very far and wide so this may prove
challenging.

Unfortunately, some of them would indeed have >200 ms rtt, as measured
by a quick ping between them just now. Perhaps in the future, if I find
an affordable dedi host in a good AS, I may focus on them and put out a
few Gbps, which would make that more feasible. Until then, I'm drifting
around looking for smaller hosts that allow Tor.

It's been frustrating at times, with one host (vsys.host) saying that
they allow Tor exits and happily accepting my payment, then changing
their mind and asking me not to run it. Then responding again saying
they elevated it to a senior manager and that it was indeed allowed,
and then replying again apologizing and saying that no, it's not. At
least they recognized the confusion and were willing to issue a refund.
Frustratingly, they are still listed as a good ISP on the community
wiki, and there are 3 exits hosted successfully on their AS...

    * Only allow your Tor exit relay servers to send DNS requests to your
DNS load balancer/recursor. This makes it harder for adversaries to
check the in-cache TTL values. Or when providing the DNS response,
randomize the TTL value then (ideally per RRSet). You could also add
latency to DNS responses so they all are similarly slow (as if the
record wasn't cached), but this has downsides of its own.
    * Decouple TTL values from the original DNS record's TTL and the value
in your cache. You could even randomize this (again per RRset ideally)
to make it even less predictable.

I thought about that after reading your blog post, but I couldn't find
out how to do that without patching the Unbound source code. That is
something I could do, but at the moment I don't have the time on my
hands to maintain such a fork, at least not to the quality standards
that would be wanted for Tor.

    * Preload the top 1k/10k/100k/1M/10M (depending on your networking and
hardware capacity) domain's records and keep them 'hot' by fetching
their records with a random offset before they would expire. A previous
experiment with a small preload list (1k iirc) increased DNS cache hits
from ~74% (without preloading/automatic refreshes) to ~93% (with
preloading/automatic refreshes), decreasing DNS cache misses
considerably. My assumption is that the DNS cache hit rate will increase
significantly with 1) a larger preload list and 2) more queries per
second, but this is something I can finally verify when our new
infrastructure is in place next year.

I'm unsure how to preload the top domains. I couldn't find anywhere to
import an up-to-date cache, and having a script attempt to resolve a
large number of domains and keep them hot would probably not go over
too well with most hosting providers, I imagine.

I suspect that might not be helpful with smaller relays. One of my
relays is currently doing ~10 Mbps (it's capable of much more; I'm just
assuming it'll take more time before the BW authorities raise its
consensus weight), and it has a very low cache hit rate. I suspect this
is because TTL expiration starts to be the dominant cause of loss of
cache entries, even with prefetch enabled. The hit ratio is not great.
Since last reset a few days ago:

    thread0.num.cachehits=74xxx
    thread0.num.cachemiss=1637xxx
    thread0.num.prefetch=28xxx

For reference, this is my current Unbound config (cache size varies
from system to system depending on available resources):

    server:
            outgoing-interface: <outgoing ipv4 goes here>
            do-ip6: no
            rrset-cache-size: 64m
            msg-cache-size: 32m
            neg-cache-size: 8m
            prefetch: yes
            prefetch-key: yes

    auth-zone:
            name: "."
            master: f.root-servers.net
            master: k.root-servers.net
            master: l.root-servers.net
            master: j.root-servers.net
            fallback-enabled: yes
            for-downstream: no
            for-upstream: yes
            zonefile: "/var/lib/unbound/root.zone"

So "Would it be reasonable to dedicated a single, cheap VPS for DNS
queries, and have all my other exits use it as their resolver over
DoT?"? I think this is a reasonable approach, even when it adds some DNS
latency (within reason) to your exit relays. But I would also try (where
possible/feasible) to take some countermeasures against some of the more
common/easy attacks. I think in many cases (even without extensive
countermeasures) a centralized DNS recursor for your own exit relays, at
the very least isn't a significant downgrade from running them locally
on your exit servers.

The worst rtt is ~250ms from my test. I know that systemd-resolved will
keep its own local cache even if it's using an upstream resolver, but
the size is small and fixed. Would a centralized resolver be feasible
even in my case? I suppose I could try to find a very well-peered AS
and find a cheap VPS on it for only the purposes of DNS resolution (and
perhaps as a bridge relay, so bandwidth isn't going to waste).

When our DNS infra is finally upgraded you're free to use it as well (we
can whitelist all your IP addresses), but in terms of latency it might
be a bad fit since your relays are situated in other parts of the world.
Perhaps there are Tor operator that run DNS recursors in South Africa,
Moldova, US and Canada for you to use :). You could also ask in the IRC
operators channel to see whether other operators can provide you with
access to their recursors.

Maybe I can switch to it for the nearest exits. If I had more networking
experience, I'd set up my own set of DNS resolvers for the Tor network
with anycast, and allow any IP that is a Tor exit to resolve from them.
That would at least be better than using 8.8.8.8. But of course, I have
neither the time, networking experience, or trust in the community as
a new exit operator to do that.

Regards,
forest

Don't forget to enable DNS over TLS!

Of course.

For my local resolvers, it's not possible of course, but it is DNSSEC-
validating. If I use any kind of centralized upstream resolver, whether
I operate it or not, I'll only use DoT/DoH/DoQ.

Regards,
forest

You should edit the page, then! It's the *community* wiki, after all

Also, since you're running exits at various niche ASes, I'm guessing not all of them are on GoodBadISPs. It'd be great if you added some information about them there.

You should definitely try setting up IPv6. Essentially, your problem
is rooted in the limited number of IPv4 addresses. With IPv6, you
most certainly can have more than one IPv6 address on every VPS for
free. Using IPv6 wherever possible tackles the root issue.

This would only work if all nameservers support IPv6, no? I would
still need to use IPv4 for the nameservers that don't, which means
continuing to pay for the extra IPv4.

What I'm thinking of doing is choosing a single reliable exit in each
geographic location that I run, and using it as the upstream DNS
resolver for all the other relays in the region. Thus I can use one
relay in the USA to serve my relay in Canada, and one relay in Moldova
to serve other relays in Europe. I would only need to pay for an extra
IPv4 for each geographic region, and wouldn't have to suffer from the
nasty >200ms latency incurred through transoceanic cables.

Regards,
forest

* foreststack@dmc.chat via tor-relays:

This would only work if all nameservers support IPv6, no? I would
still need to use IPv4 for the nameservers that don't, which means
continuing to pay for the extra IPv4.

Have you considered using dnscrypt-proxy [1] with a couple of their
IPv6-capable servers configured as forwarders? No need for your own
server to have an Internet-routable IPv4 address in that scenario.

[1] GitHub - DNSCrypt/dnscrypt-proxy: dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.

-Ralph

* Nick Weaver via tor-relays:

If DNS is being blocked from a Tor exit the site itself that is being
resolved is also likely to be blocked, so it should be a rarer case
than you'd otherwise expect.

I disagree with your assumption of "if a nameserver for example.com
blocks the Tor exit, somehost.example.com will likely block the exit as
well" (I am of course paraphrasing). First, many domains use third-party
DNS hosts. Second, an imaginary nameserver ns.example.com /might/ block
the same hosts as www.example.com, but why would it? The hosts provide
very different services.

As for the rarity of blocks, I think you have a better point there.

So just run a local recursive resolver ON the exit node, but with a
small patch so if the recursive resolver fails to resolve a name you
have a fallback to a separate recursive resolver, the one that is run
by the ISP where you are running your Tor node

That would provide a DNS resolver fallback, but also a privacy leak.
Your ISP could block your own resolver to force fallback to theirs. It
depends on how cautious/paranoid one wants to be in this matter. I
recommend local, caching resolvers on Tor guards or middle nodes, but
for exits this matters less, due to the next point you mentioned:

And the privacy implication is very low: after all, the ISP can see
the final traffic anyway [...]

Indeed. Also, the Tor exit X making connections to some destination Y
does not place the initiating Tor client Z at risk, what with Z and X
being separated by the Tor circuit.

Overall, I see the deployment of a local caching resolver (without
fallback to ISP resolvers) like Unbound as sufficient, and I already
mentioned dnscrypt-proxy as an alternative. I prefer Unbound, with its
small footprint, simple configuration and DNSSEC support.

-Ralph

IPv6 is locally resolved by each relay. If this fails, probably
because some DNS servers are IPv4-only, the relays shall forward
their queries to 1-2 central DNS resolver with IPv4 addresses.

That would probably be doable, but it would negate the privacy and the
security benefit of running a local DNSSEC-validating recursive DNS
resolver. When I run my own, I can be sure that it's using a local copy
of the root zone, that it's using QNAME minimization and aggressive-
NSEC, that it's up-to-date and is aggressively caching negative answers
(which are very common over Tor), etc.

Perhaps I could have the resolver prefer IPv6 and if the nameserver
doesn't support that, it could fall back to the exit's IPv4. If the
nameserver blocks Tor, *then* it could be sent up to some privacy-
friendly upstream resolver. I don't know if Unbound can be configured
to do that natively. It might take a small patch.

The overlap of DNS servers that are IPv4-only and block Tor relays
might be small enough to tolerate the issue or just use a friendly
public resolver for them as fallback.

I don't think it would be enough to tolerate the issue. Failures to get
answers from big nameservers doesn't just break a few websites. It can
break an entire zone. You may find that all .hu domains that lack IPv6
will become unreachable. Using a friendly public resolver as fallback,
or even falling back to a high-latency resolver on one of my other
nodes, is probably preferable.

In any way, I hope you enable IPv6 on your relays (start with DNS).
Because the IPv4 shortage only gets worse over time, and enabling
IPv6 is a (partial) way out, even already today.

I have IPv6 enabled on all my exits that support it. Some of them do
not support IPv6, but that is the fault of budget basement datacenters
running in Romania, and not my own network config.

Regards,
forest

Second, an imaginary nameserver ns.example.com /might/ block the same
hosts as www.example.com, but why would it? The hosts provide very
different services.

This is correct. Most blocking of Tor is not done by some upstream NOC
that has control over all the traffic passing through its servers, but
by some WAF or major CDN, neither of which are going to be used by a
nameserver. That is, Tor is more likely to be blocked by Cloudflare,
Akamai, Imunify360, Securi, etc.

Likewise, nameservers that block Tor often do so separately from the
domains that they manage, often by importing bulk IP blacklists that
unfortunately contain Tor addresses. Access is then denied by the
resolver software itself.

That would provide a DNS resolver fallback, but also a privacy leak.
Your ISP could block your own resolver to force fallback to theirs.

In my view, the threat model is one of passive collection of data which
is individually not particularly sensitive, but cumulatively gives an
unnecessarily-large insight into traffic. A malicious ISP would be
unlikely to gain much from forcing fallback for a single node.

Also, the Tor exit X making connections to some destination Y does
not place the initiating Tor client Z at risk, what with Z and X
being separated by the Tor circuit.

I recall there being several papers which showed that DNS privacy is
more important than it seems. When exit X makes a connection to Y on
behalf of client Z, there is a risk if anyone on the path been X and Y
collude with anyone on the path from Z to its guard. When using a local
recursive resolver, far more entities learn information about the
communication between X and Y.

Overall, I see the deployment of a local caching resolver (without
fallback to ISP resolvers) like Unbound as sufficient

I agree. Although it does have some downsides, I think the upsides
outweigh them. The only problem is the IPv4 shortage.

Regards,
forest