Re: [tor-relays] Local DNS on Exit logs failed user queries
On 8/16/16, teor wrote: > Or is it safer just to log a few essential categories? > (Can anyone recommend any?) Once properly set up and tested, DNS just works, only maintenance being updating root zone or keys whenever. You might be interested in aggregated stats logs it emits, memory, queries per sec, query types, that sort of thing. There's a config section for that and it's clean. For tor, mostly just test that it's up and running, no risk of disclosure there. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Local DNS on Exit logs failed user queries
Hi, When I set up a Tor Exit, I set up a local resolver (BIND) as a cache. Today, I was monitoring the syslog, and I noticed that BIND logs DNS names when resolution fails. (I have since removed these entries from the logs.) One way to prevent this is to disable logging on BIND entirely: logging { category default { null; }; }; Another is to isolate the categories that log DNS names, and disable them individually: logging { // these categories log DNS names category dnssec { null; }; category edns-disabled { null; }; category lame-servers { null; }; category resolver { null; }; category security { null; }; // also ignore uncategorised log messages category unmatched { null; }; }; I've updated the Tor wiki page on BIND with this configuration: https://trac.torproject.org/projects/tor/wiki/doc/BIND Does anyone know how to work out all the BIND categories that log DNS names? (All of the documentation I found online was helping people log *every* DNS query.) Or is it safer just to log a few essential categories? (Can anyone recommend any?) Has anyone checked if the logs on other resolvers (like unbound) have the same issue? Tim Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org signature.asc Description: Message signed with OpenPGP using GPGMail ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] [WARN] Remote server sent bogus reason code 65021
Looks like this is solved and belonged to not open ports Sorry for the hassle Paul Am 16.08.2016 um 18:34 schrieb pa011: > Just established a new Exit with two instances on (Linux 3.16.0-4-amd64) ,Tor > 0.2.8.6 > > On the second instance I get these warnings: > > [WARN] Remote server sent bogus reason code 65021 [21 duplicates hidden] > [WARN] Remote server sent bogus reason code 65023 [95 duplicates hidden] > [NOTICE] Have tried resolving or connecting to address '[scrubbed]' at 3 > different places. Giving up. [40 duplicates hidden] > > The code65023 is ticking up by one in about 10 seconds? > > The default instance is free of that. > > Anything to worry about? > > Thanks > > Paul > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] A question about transfer - any advice?
Well, to spread out 1TB over a month, 1,000,000÷30 days÷24 hours÷60 minutes÷60 seconds÷2 for in/out x 8 to convert to bits equals... 1.54 Mbps, give or take. It's not exact math since a byte is 1024 instead of 1000. Either way, 1TB gets used pretty quickly. My exit transfers 1TB in just a few hours! On Aug 16, 2016 2:11 PM, "Charon" wrote: > I'm running a Tor relay and everything is going great so far, but since > I'm hosting on a commercial VPS, I have limited transfer (1 TB per month, > overage: $0.02/GB). As such, I've set accounting to 10 GB per day so I'll > at most use 620 GB in any given month and don't have to pay any overage > costs. > > *Q1: can I increase this limit without paying extra?* > > I'm seeing that this 10 GB is hit very quickly, today within 9 hours. > > *Q2: how can I adjust the bandwidth limit (80 Mb/s, burst 160 Mb/s) so > that this 10 GB is more spread out over the day? Would it help to make > this, say, 20 or 40 Mb/s?* > > Thanks! > > Ps: if I haven't supplied sufficient details, please feel free to ask > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Web server and TOR bridge at same IP:port
If a pluggable transport is HTTP(S)-ish, I would expect nginx to be able to use SNI or a Host header (or the lack) to decide whether to serve web content or proxy to tor or the transport. I'm not sure if nginx can decide to proxy tcp based on SNI, but it would be worth reading the docs. If this is nonsense, pardon my ignorance of tor details ;) On 08/16/2016 01:59 PM, Lucas Werkmeister wrote: > Something like this exists: sslh[1], a "protocol demultiplexer". > However, it doesn't explicitly support Tor, and I'm not sure if it's > possible to distinguish between Tor packets and other TLS traffic using > the options it offers[2]. > > [1]: http://www.rutschle.net/tech/sslh.shtml > [2]: https://github.com/yrutschle/sslh/blob/v1.18/example.cfg#L37-L47 > > > On 16.08.2016 19:50, Green Dream wrote: >> I don't think you will be able to bind two daemons to the same TCP >> port (443). >> >> Maybe you could have something else listening on TCP port 443 and >> passing the requests onto both places? >> >> You might be able to put a single reverse proxy in front on that port, >> and have that proxy send the requests to the correct daemon on the >> backend, but I have no idea how to actually set that up. Most common >> reverse proxy software (like nginx) isn't designed to understand or >> handle Tor or pluggable transports like obfs4. >> >> There may be some application aware ("layer 4") firewalls that could >> do something like this too, but I don't think it would be >> straightforward. Also I'm not sure inspecting Tor packets (in order to >> determine they're Tor packets) is a good idea... or if that could even >> work since the packets will be obfuscated. >> >> Just thinking out loud... but this seems like a difficult to implement >> idea. >> >> >> >> ___ >> tor-relays mailing list >> tor-relays@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > > > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] A question about transfer - any advice?
I'm running a Tor relay and everything is going great so far, but since I'm hosting on a commercial VPS, I have limited transfer (1 TB per month, overage: $0.02/GB). As such, I've set accounting to 10 GB per day so I'll at most use 620 GB in any given month and don't have to pay any overage costs. Q1: can I increase this limit without paying extra? I'm seeing that this 10 GB is hit very quickly, today within 9 hours. Q2: how can I adjust the bandwidth limit (80 Mb/s, burst 160 Mb/s) so that this 10 GB is more spread out over the day? Would it help to make this, say, 20 or 40 Mb/s? Thanks! Ps: if I haven't supplied sufficient details, please feel free to ask___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Web server and TOR bridge at same IP:port
Something like this exists: sslh[1], a "protocol demultiplexer". However, it doesn't explicitly support Tor, and I'm not sure if it's possible to distinguish between Tor packets and other TLS traffic using the options it offers[2]. [1]: http://www.rutschle.net/tech/sslh.shtml [2]: https://github.com/yrutschle/sslh/blob/v1.18/example.cfg#L37-L47 On 16.08.2016 19:50, Green Dream wrote: > I don't think you will be able to bind two daemons to the same TCP > port (443). > > Maybe you could have something else listening on TCP port 443 and > passing the requests onto both places? > > You might be able to put a single reverse proxy in front on that port, > and have that proxy send the requests to the correct daemon on the > backend, but I have no idea how to actually set that up. Most common > reverse proxy software (like nginx) isn't designed to understand or > handle Tor or pluggable transports like obfs4. > > There may be some application aware ("layer 4") firewalls that could > do something like this too, but I don't think it would be > straightforward. Also I'm not sure inspecting Tor packets (in order to > determine they're Tor packets) is a good idea... or if that could even > work since the packets will be obfuscated. > > Just thinking out loud... but this seems like a difficult to implement > idea. > > > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays smime.p7s Description: S/MIME Cryptographic Signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Web server and TOR bridge at same IP:port
I don't think you will be able to bind two daemons to the same TCP port (443). Maybe you could have something else listening on TCP port 443 and passing the requests onto both places? You might be able to put a single reverse proxy in front on that port, and have that proxy send the requests to the correct daemon on the backend, but I have no idea how to actually set that up. Most common reverse proxy software (like nginx) isn't designed to understand or handle Tor or pluggable transports like obfs4. There may be some application aware ("layer 4") firewalls that could do something like this too, but I don't think it would be straightforward. Also I'm not sure inspecting Tor packets (in order to determine they're Tor packets) is a good idea... or if that could even work since the packets will be obfuscated. Just thinking out loud... but this seems like a difficult to implement idea. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] [WARN] Remote server sent bogus reason code 65021
Just established a new Exit with two instances on (Linux 3.16.0-4-amd64) ,Tor 0.2.8.6 On the second instance I get these warnings: [WARN] Remote server sent bogus reason code 65021 [21 duplicates hidden] [WARN] Remote server sent bogus reason code 65023 [95 duplicates hidden] [NOTICE] Have tried resolving or connecting to address '[scrubbed]' at 3 different places. Giving up. [40 duplicates hidden] The code65023 is ticking up by one in about 10 seconds? The default instance is free of that. Anything to worry about? Thanks Paul ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Pi3 mid relay dropping lil bit of packets
Hmm I just noticed that systemd HUPs tor exactly every 24h and now I have 16 packets lost with 30gb relayed. Can this be the cause? Is there a way to log these drops without putting too much load on ram/cpu? Just to have a timestamp?___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Pi3 mid relay dropping lil bit of packets
Ok thank you for replies, will keep an eye on this. On Tue, Aug 16, 2016 at 6:11 AM, Green Dreamwrote: Counter-point... transmission errors are not a certainty: RX packets:323526978271 errors:0 dropped:0 overruns:0 frame:0 TX packets:249565709357 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:285274358053849 (285.2 TB) TX bytes:287754558279252 (287.7 TB) Ideally there should be no errors. :) 11 dropped packets isn't a big deal, but I wouldn't be quick to dismiss these errors by default. In certain cases things might be improved with driver updates, or sysctl tweaks, or a new ethernet cable, etc. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Web server and TOR bridge at same IP:port
Hello, listers! Is it possible to configure on own physical server a https Web server (for ex., Apache) at port 443 and obfs4 or meek bridge at same static global IP address and same port 443? It's something like SNI, not for two TLS web sites with different domain names at same IP but for web site on web server and TOR bridge. If this is possible it will be good masking for bridge because on others' requests this server will reply as simple https web server. As i understand, it will be difficult for observer without keys to distinguish encrypted bridge traffic from TLS-encrypted web traffic. If this is possible, can anyone tell about configuration manual/hits for this? WBR, Alan Hiew. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] spelling mistake
On Sun, 14 Aug 2016, I wrote: >https://www.torproject.org/docs/pluggable-transports.html.en > >voluntters Thanks. Committed a fix. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `-https://www.debian.org/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays