Re: [tor-relays] Local DNS on Exit logs failed user queries

[grarpamp]

On 8/16/16, teor  wrote:
> Or is it safer just to log a few essential categories?
> (Can anyone recommend any?)

Once properly set up and tested, DNS just works, only
maintenance being updating root zone or keys whenever.
You might be interested in aggregated stats logs it emits,
memory, queries per sec, query types, that sort of thing.
There's a config section for that and it's clean.
For tor, mostly just test that it's up and running, no risk
of disclosure there.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Local DNS on Exit logs failed user queries

[teor]

Hi,

When I set up a Tor Exit, I set up a local resolver (BIND) as a cache.
Today, I was monitoring the syslog, and I noticed that BIND logs DNS names when 
resolution fails.
(I have since removed these entries from the logs.)

One way to prevent this is to disable logging on BIND entirely:

logging { category default { null; }; };

Another is to isolate the categories that log DNS names, and disable them 
individually:

logging {
// these categories log DNS names
category dnssec { null; };
category edns-disabled { null; };
category lame-servers { null; };
category resolver { null; };
category security { null; };
// also ignore uncategorised log messages
category unmatched { null; };
};

I've updated the Tor wiki page on BIND with this configuration:
https://trac.torproject.org/projects/tor/wiki/doc/BIND

Does anyone know how to work out all the BIND categories that log DNS names?
(All of the documentation I found online was helping people log *every* DNS 
query.)

Or is it safer just to log a few essential categories?
(Can anyone recommend any?)

Has anyone checked if the logs on other resolvers (like unbound) have the same 
issue?

Tim

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org








signature.asc
Description: Message signed with OpenPGP using GPGMail
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] [WARN] Remote server sent bogus reason code 65021

[pa011]

Looks like this is solved and belonged to not open ports
Sorry for the hassle

Paul



Am 16.08.2016 um 18:34 schrieb pa011:
> Just established a new Exit with two instances on (Linux 3.16.0-4-amd64) ,Tor 
> 0.2.8.6  
> 
> On the second instance I get these warnings:
> 
> [WARN] Remote server sent bogus reason code 65021 [21 duplicates hidden]
> [WARN] Remote server sent bogus reason code 65023  [95 duplicates hidden]
> [NOTICE] Have tried resolving or connecting to address '[scrubbed]' at 3 
> different places. Giving up. [40 duplicates hidden]
> 
> The code65023 is ticking up by one in about 10 seconds?
> 
> The default instance is free of that.
> 
> Anything to worry about?
> 
> Thanks
> 
> Paul
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] A question about transfer - any advice?

[Tristan]

Well, to spread out 1TB over a month, 1,000,000÷30 days÷24 hours÷60
minutes÷60 seconds÷2 for in/out x 8 to convert to bits equals...

1.54 Mbps, give or take. It's not exact math since a byte is 1024 instead
of 1000. Either way, 1TB gets used pretty quickly. My exit transfers 1TB in
just a few hours!

On Aug 16, 2016 2:11 PM, "Charon"  wrote:

> I'm running a Tor relay and everything is going great so far, but since
> I'm hosting on a commercial VPS, I have limited transfer (1 TB per month,
> overage: $0.02/GB). As such, I've set accounting to 10 GB per day so I'll
> at most use 620 GB in any given month and don't have to pay any overage
> costs.
>
> *Q1: can I increase this limit without paying extra?*
>
> I'm seeing that this 10 GB is hit very quickly, today within 9 hours.
>
> *Q2: how can I adjust the bandwidth limit (80 Mb/s, burst 160 Mb/s) so
> that this 10 GB is more spread out over the day? Would it help to make
> this, say, 20 or 40 Mb/s?*
>
> Thanks!
>
> Ps: if I haven't supplied sufficient details, please feel free to ask
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Web server and TOR bridge at same IP:port

[JovianMallard]

If a pluggable transport is HTTP(S)-ish, I would expect nginx to be able
to use SNI or a Host header (or the lack) to decide whether to serve web
content or proxy to tor or the transport. I'm not sure if nginx can
decide to proxy tcp based on SNI, but it would be worth reading the docs.

If this is nonsense, pardon my ignorance of tor details ;)

On 08/16/2016 01:59 PM, Lucas Werkmeister wrote:
> Something like this exists: sslh[1], a "protocol demultiplexer".
> However, it doesn't explicitly support Tor, and I'm not sure if it's
> possible to distinguish between Tor packets and other TLS traffic using
> the options it offers[2].
> 
> [1]: http://www.rutschle.net/tech/sslh.shtml
> [2]: https://github.com/yrutschle/sslh/blob/v1.18/example.cfg#L37-L47
> 
> 
> On 16.08.2016 19:50, Green Dream wrote:
>> I don't think you will be able to bind two daemons to the same TCP
>> port (443). 
>>
>> Maybe you could have something else listening on TCP port 443 and
>> passing the requests onto both places?
>>
>> You might be able to put a single reverse proxy in front on that port,
>> and have that proxy send the requests to the correct daemon on the
>> backend, but I have no idea how to actually set that up. Most common
>> reverse proxy software (like nginx) isn't designed to understand or
>> handle Tor or pluggable transports like obfs4.
>>
>> There may be some application aware ("layer 4") firewalls that could
>> do something like this too, but I don't think it would be
>> straightforward. Also I'm not sure inspecting Tor packets (in order to
>> determine they're Tor packets) is a good idea... or if that could even
>> work since the packets will be obfuscated.
>>
>> Just thinking out loud... but this seems like a difficult to implement
>> idea.
>>
>>
>>
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
> 
> 
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] A question about transfer - any advice?

[Charon]

I'm running a Tor relay and everything is going great so far, but since I'm 
hosting on a commercial VPS, I have limited transfer (1 TB per month, overage: 
$0.02/GB). As such, I've set accounting to 10 GB per day so I'll at most use 
620 GB in any given month and don't have to pay any overage costs.

Q1: can I increase this limit without paying extra?

I'm seeing that this 10 GB is hit very quickly, today within 9 hours.

Q2: how can I adjust the bandwidth limit (80 Mb/s, burst 160 Mb/s) so that this 
10 GB is more spread out over the day? Would it help to make this, say, 20 or 
40 Mb/s?

Thanks!

Ps: if I haven't supplied sufficient details, please feel free to ask___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Web server and TOR bridge at same IP:port

[Lucas Werkmeister]

Something like this exists: sslh[1], a "protocol demultiplexer".
However, it doesn't explicitly support Tor, and I'm not sure if it's
possible to distinguish between Tor packets and other TLS traffic using
the options it offers[2].

[1]: http://www.rutschle.net/tech/sslh.shtml
[2]: https://github.com/yrutschle/sslh/blob/v1.18/example.cfg#L37-L47


On 16.08.2016 19:50, Green Dream wrote:
> I don't think you will be able to bind two daemons to the same TCP
> port (443). 
>
> Maybe you could have something else listening on TCP port 443 and
> passing the requests onto both places?
>
> You might be able to put a single reverse proxy in front on that port,
> and have that proxy send the requests to the correct daemon on the
> backend, but I have no idea how to actually set that up. Most common
> reverse proxy software (like nginx) isn't designed to understand or
> handle Tor or pluggable transports like obfs4.
>
> There may be some application aware ("layer 4") firewalls that could
> do something like this too, but I don't think it would be
> straightforward. Also I'm not sure inspecting Tor packets (in order to
> determine they're Tor packets) is a good idea... or if that could even
> work since the packets will be obfuscated.
>
> Just thinking out loud... but this seems like a difficult to implement
> idea.
>
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



smime.p7s
Description: S/MIME Cryptographic Signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Web server and TOR bridge at same IP:port

[Green Dream]

I don't think you will be able to bind two daemons to the same TCP port
(443).

Maybe you could have something else listening on TCP port 443 and passing
the requests onto both places?

You might be able to put a single reverse proxy in front on that port, and
have that proxy send the requests to the correct daemon on the backend, but
I have no idea how to actually set that up. Most common reverse proxy
software (like nginx) isn't designed to understand or handle Tor or
pluggable transports like obfs4.

There may be some application aware ("layer 4") firewalls that could do
something like this too, but I don't think it would be straightforward.
Also I'm not sure inspecting Tor packets (in order to determine they're Tor
packets) is a good idea... or if that could even work since the packets
will be obfuscated.

Just thinking out loud... but this seems like a difficult to implement idea.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] [WARN] Remote server sent bogus reason code 65021

[pa011]

Just established a new Exit with two instances on (Linux 3.16.0-4-amd64) ,Tor 
0.2.8.6  

On the second instance I get these warnings:

[WARN] Remote server sent bogus reason code 65021 [21 duplicates hidden]
[WARN] Remote server sent bogus reason code 65023  [95 duplicates hidden]
[NOTICE] Have tried resolving or connecting to address '[scrubbed]' at 3 
different places. Giving up. [40 duplicates hidden]

The code65023 is ticking up by one in about 10 seconds?

The default instance is free of that.

Anything to worry about?

Thanks

Paul
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Pi3 mid relay dropping lil bit of packets

[Pi3]

Hmm I just noticed that systemd HUPs tor exactly every 24h and now I have 16 
packets lost with 30gb relayed.
Can this be the cause?
Is there a way to log these drops without putting too much load on ram/cpu? 
Just to have a timestamp?___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Pi3 mid relay dropping lil bit of packets

[Pi3]

Ok thank you for replies, will keep an eye on this.
On Tue, Aug 16, 2016 at 6:11 AM, Green Dream  
wrote:
Counter-point... transmission errors are not a certainty:           RX 
packets:323526978271 errors:0 dropped:0 overruns:0 frame:0          TX 
packets:249565709357 errors:0 dropped:0 overruns:0 carrier:0          
collisions:0 txqueuelen:1000           RX bytes:285274358053849 (285.2 TB)  TX 
bytes:287754558279252 (287.7 TB) Ideally there should be no errors. :) 11 
dropped packets isn't a big deal, but I wouldn't be quick to dismiss these 
errors by default. In certain cases things might be improved with driver 
updates, or sysctl tweaks, or a new ethernet cable, etc.  
___
 tor-relays mailing list
 tor-relays@lists.torproject.org
 https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
 ___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Web server and TOR bridge at same IP:port

[Alen Hiew]

Hello, listers!

Is it possible to configure on own physical server a https Web server
(for ex., Apache) at port 443 and obfs4 or meek bridge at same static
global IP address and same port 443?

It's something like SNI, not for two TLS web sites with different domain
names at same IP but for web site on web server and TOR bridge. If this
is possible it will be good masking for bridge because on others'
requests this server will reply as simple https web server. As i
understand, it will be difficult for observer without keys to
distinguish encrypted bridge traffic from TLS-encrypted web traffic.

If this is possible, can anyone tell about configuration manual/hits for
this?

WBR,
Alan Hiew.

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] spelling mistake

[Peter Palfrader]

On Sun, 14 Aug 2016, I wrote:

>https://www.torproject.org/docs/pluggable-transports.html.en
> 
>voluntters

Thanks.  Committed a fix.

-- 
|  .''`.   ** Debian **
  Peter Palfrader   | : :' :  The  universal
 https://www.palfrader.org/ | `. `'  Operating System
|   `-https://www.debian.org/
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays