[tor-relays] DNS-over-TLS and DNSPrivacy.org (was: lets stop using central big DNS resolvers (Google, Level3, OpenDNS, Quad9, Cloudflare))

[Santiago R.R.]

El 11/05/18 a las 14:52, Ralph Seichter escribió:
> On 11.05.18 13:55, Nathaniel Suchy (Lunorian) wrote:
> 
> > My first thought is to use ISP DNS if it’s available - one of the best
> > things about Tor is the split of trust so why aren’t we doing that
> > with DNS? Another alternative is to use trusted recursive DNSCrypt
> > Resolvers (for example dnscrypt.ca - there are plenty of resolvers
> > like this so use a search engine of your choice to find them).
> 
> Assuming you can install whatever software you like, I recommend running
> your own instance of Unbound on your exit node machines. Current Unbound
> versions support DNSSEC validation, QNAME minimisation, etc. While using
> your ISP's resolvers works as a fallback, a local resolver is better and
> easy enough to set up.

The inconvenient with running a "standard" local resolver from the
exit relays is the queries are forwarded in clear. So ISP and others
could inspect them.

I think I already mentioned about DNS-over-TLS in this list, so sorry for
duplicating a message, but I think it is a good alternative to encrypt the
queries, even if that means relying on third parties (that can be
different to Quad9, Cloudflare, etc.) as resolvers. 

I think https://dnsprivacy.org material worth a reading. The project
also provides a list of several test resolvers available. Some of them
do not log or censor traffic: 
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers

Disclaimer: I am part of the team who runs one of the no-logging test
servers. 

And of course, anyone can run a privacy-aware DNS resolver in a
different machine, to be used to forward the queries from the relays
from a privacy-aware stub resolver, such as stubby.

cheers,

Santiago


signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] New relay operator here

[privatesociety Tor]

Thanks for your answers and the kind words! One relay had to be cancelled
because of bandwith issues, but five are still a nice number. Maybe the UK
one will be replaced by an NL dedicated server with 100 mbit uplink. All
servers are then also IPv6 compatible (four are already since today). :)

Colin Childs  schrieb am Fr. 18. Mai 2018 um 03:30:

> Hi Privatesociety,
>
> Thank you for setting up these relays and contributing to the Tor network!
> I look forward to working with you in the future.
>
> In the #tor-relays IRC channel, there are a number of TorServers people,
> as well as people from partner organizations. There are also a number of us
> on this mailing list. Are you looking specifically to contribute to
> TorServers, or are you hoping to team up with a local partner organization
> / found your own partner org?
>
> If you’re unsure, I’d be happy to talk with you about options (as would
> other TS people, I’m sure). As Nusenu mentioned though, it would be helpful
> to know where you are based out of.
>
> Thanks, talk soon!
>
> On May 17, 2018, at 2:08 PM, privatesociety Tor 
> wrote:
>
> Hello tor relay community!
> I‘d like to introduce six new relays, which are operated by
> privatesociety, a community of people, which fighting for privacy based in
> europe. The six relays provide a capacity of around 300 mbit/s (total) and
> are hosted on networks, which aren‘t much used - so better for the tor
> community. I hope we are working great together. :)
>
> Look at meetrics for more details:
>
> https://metrics.torproject.org/rs.html#search/family:7AF3F4E88A5AE224DB775732A52731C8E54208A6
>
>
> Anyway: We are maybe setting up an exit in the future, but for this we‘d
> like to join forces with other exit operators like TORSERVERS.net to have
> better connections in case of problems. Does anyone have contacts, which
> could be helpful?
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] FallbackDir maintenance

[Nurtic-Vibe]

Hi,

maintenance has finished and Relay is back up.

Regards,

Nurtic-Vibe


Am 17.05.2018 um 20:20 schrieb Nurtic-Vibe:
> Due to a disk outtage, the FallbackDir
> 8C00FA7369A7A308F6A137600F0FA07990D9D451 is currently offline.
> I will keep you posted with updates.
>
> Cheers,
> Nurtic-Vibe

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Tor Weather (was: Relay advocate introduction)

[Tom Ritter]

I have an email draft about ideas for Colin I haven't finished and Tor
Weather was going to be top of the list. So add another voice to the
crowd.

-tom

On 17 May 2018 at 16:48, Matthew Glennon  wrote:
> I don't know if it's helpful, but I use pulseway.com to monitor my relay
> (aand all of my other servers).
>
> On Thu, May 17, 2018 at 5:40 PM Colin Childs  wrote:
>>
>> Hello Nusenu,
>>
>> Thank you for bringing this up and filing the ticket, this definitely
>> sounds like something that should be brought back in some form. I’m going to
>> look things over, review the history of Tor Weather and then make a plan for
>> moving this forward.
>>
>> A monitoring service (like Tor Weather) has also been requested from a few
>> other operators as well; so I think this is definitely something that will
>> make the community happier as a whole.
>>
>> > On May 17, 2018, at 2:44 PM, nusenu  wrote:
>> >
>> > Colin Childs:
>> >> I would love to hear from all of you with the things you would find
>> >> most helpful from me / the Tor Project
>> > I believe the most useful tool for relay operators and
>> > the tor network as a whole would be to bring back Tor Weather.
>> >
>> > I filed it as
>> > https://trac.torproject.org/projects/tor/ticket/26124
>> >
>> >
>> > Full text bellow
>> > -
>> > TL;DR: I believe Tor Weather is the most efficient way to achieve and
>> > maintain a healthy Tor network on the long run.
>> >
>> > This is an item on the metrics team road map ("Q4 2018 or later") but
>> > maybe the new relay advocate (Colin) can help with this?
>> >
>> > Tor Weather has been discontinued on 2016-04-04,
>> > see Karsten's email for the reasoning behind it:
>> > https://lists.torproject.org/pipermail/tor-relays/2016-April/009009.html
>> > but as he says "Tor Weather is still a good idea, it just needs somebody
>> > to implement it."
>> >
>> > How Tor Weather looked like:
>> >
>> > https://web.archive.org/web/20141004055709/https://weather.torproject.org/subscribe/
>> >
>> >
>> > **Motivation**
>> >
>> > If a relay disappears today, it is unlikely that anyone will notice or
>> > even send an email to the operator unless it is a big one.
>> >
>> > Relay operators and the entire tor network would benefit from a Tor
>> > Weather service because it notifies relay operators when the state of their
>> > relays changed (and more). This will increase the likelihood that relay
>> > operators notice problems and actually mitigate the problem otherwise there
>> > is no "user feedback" since tor can cope with disappearing relays quite
>> > well.
>> > It also
>> > * shows the relay operator that someone actually cares if their relays
>> > go down or become outdated or have another problem
>> > * gives the operator relay best-practices information.
>> >
>> > **Expected Effects**
>> >
>> > If enough operators subscribe to such a service:
>> > * relays might become more long lived / the churn rate might decrease
>> > * the fraction of relays running outdated tor versions might decrease
>> > * the fraction of exits with broken DNS might decrease
>> >
>> > It also has the benefit of being able to contact relay operators
>> > * completely automatically
>> > * even if they choose to not set a public ContactInfo string in their
>> > torrc files.
>> >
>> > **ideas for selectable notification types**
>> > (sorted by importance)
>> >
>> > Support subscribing via single relay FP or MyFamily groups (should not
>> > need any subscription change if a relay gets added to the family).
>> >
>> > [ ] Email me when my node is down
>> > How long before we send a notification? 
>> > [ ] email me when my relay is affected by a security vulnerability
>> > [ ] email me when my relay runs an end-of-life version of tor
>> >
>> > [ ] email me when my relay runs an outdated tor version (note: this
>> > should depend on the related onionoo bugs to avoid emailing alpha relay
>> > people)
>> >
>> > [ ] email me when my exit relay fails to resolve hostnames (DNS failure)
>> >
>> > [ ] email me when my relay looses the [ ] stable, [ ] guard, [ ] exit
>> > flag
>> >
>> > [ ] email me when my MyFamily configuration is broken (meaning:
>> > non-mutual config detected or relay with same contactInfo but no MyFamily)
>> > [ ] email me when you detect issues with my relay
>> > [ ] email me with suggestions for configuration improvements for my
>> > relay (only once per improvement)
>> >
>> > [ ] email me when my relay is on the top [ ] 20 [ ] 50 [ ] 100 relays
>> > list
>> >
>> > [ ] email me with monthly/quarterly status information that includes
>> > information like what my position in the overall relay list is (sorted by
>> > CW), how much traffic my relay did during the last month and what fraction
>> > of the months time your relay was included in consensus as running (this
>> > shows information on how many % of the months' consensuses this relay has
>> > been included and running)
>> > [ ] aggregate emails for all my rel

[tor-relays] can dirport be disabled on fallback directory?

[starlight . 2017q4]

Lately seeing escalating abuse traffic on the relay dirport, now up to 20k 
rotating source IP addresses per week.

The simple solution is to disable dirport, but the relay is a fallback 
directory and I don't want to make a change that will negatively affect the 
relay's ability to function as such.  Would disabling dirport be a problem?

also:

can a non-advertised dirport be left configured for local-system use while the 
public advertised dirport is disabled?

does a command utility or method exist for querying dirport documents via 
tunnelled-dir-server?  including miscellanous documents such as

/tor/status-vote/current/consensus.z
/tor/keys/all.z
/tor/server/all.z
/tor/extra/all.z

/tor/server/fp/++.z
/tor/extra/fp/++.z
/tor/micro/d/-.z
/tor/keys/fp/+.z

thanks!

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Obfs4 Bridge Advertised Bandwidth

[nottryingtobelame]

Hello,
I am running a bridge and I have my RelayBandwidthRate set to 1024 KB (8 Mbps). 
However, the Relay Search page never shows the full Advertised Bandwidth. Right 
now it is showing 259 KiB/s. Sometimes it creeps higher but not by much. Just 
wondering what the reason for that big of a difference would be. Thanks!___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Obfs4 Bridge Advertised Bandwidth

[Aneesh Dogra]

Due to the data your relay provides. If your relay gets popular I think it
will get the speed it deserves.


On Fri, May 18, 2018 at 10:32 PM,  wrote:

> Hello,
> I am running a bridge and I have my RelayBandwidthRate set to 1024 KB (8
> Mbps). However, the Relay Search page never shows the full Advertised
> Bandwidth. Right now it is showing 259 KiB/s. Sometimes it creeps higher
> but not by much. Just wondering what the reason for that big of a
> difference would be. Thanks!
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>


-- 
Regardless, I hope you're well and happy -
Aneesh
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Bridge to Relay Balance Notice

[Keifer Bly]

Hello List,

There are some things I have noticed, I have been getting emails from this list 
regarding people setting up groups of new relays. I have also noticed that 
according to https://metrics.torproject.org/networksize.html, there are around 
6-7 thousand public relays running in the network, and only about 1,500 to 
2,000 bridge relays running (I’m guessing a fair number of which aren’t even 
obfuscated). Seeing as there is only roughly ¼ the number or bridges available 
as there are public tor relays, I think that it would be a good idea for new 
people running groups of relays to run one of their new relays as a bridge, 
especially with censorship growing in some countries such as the United Kingdom 
and even I’ve heard some US isps starting to block websites.

Please let me know what you all think, thank you.

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Unusual load returning?

[starlight . 2017q4]

At 19:25 5/15/2018 +, r1610091651  wrote:
>I've noticed unusual load on the relay. Notice the huge change in load
>between 3-8 am (CET).
...
>Wondering if others experienced it recently?


One here.  Perhaps isolated probes?

May 18 11:23 Tor[]: Circuit ... : 10279/10279 TAP, 296594/296595 NTor.
May 18 17:23 Tor[]: Heartbeat: uptime is 68 days ...
May 18 17:23 Tor[]: Circuit ... : 654119/660742 TAP, 318906/318907 NTor.

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Bridge to Relay Balance Notice

[Alex Xu]

As far as I know, bridges are currently not under heavy load.  This is
because not everyone connects via bridge. Moreover, even if everyone
did, and nobody used onion services, the total bridge bandwidth should
be exactly 1/4 the total bandwidth. Onion services require 5 (or is it
6? I think it's 5) public relays, so if everyone used bridges but
everyone also used onion services then the bridge bandwidth should be
1/6 the overall bandwidth. But, as I said, the proportion of users
connecting via bridges is much smaller than 100%.

As an aside, the ratio of counts is a poor estimate for the ratio of
bandwidth, because bridges have much less bandwidth available on average
than public relays.

Quoting Keifer Bly (2018-05-18 21:20:18)
> Hello List,
> 
>  
> 
> There are some things I have noticed, I have been getting emails from this 
> list
> regarding people setting up groups of new relays. I have also noticed that
> according to https://metrics.torproject.org/networksize.html, there are around
> 6-7 thousand public relays running in the network, and only about 1,500 to
> 2,000 bridge relays running (I’m guessing a fair number of which aren’t even
> obfuscated). Seeing as there is only roughly ¼ the number or bridges available
> as there are public tor relays, I think that it would be a good idea for new
> people running groups of relays to run one of their new relays as a bridge,
> especially with censorship growing in some countries such as the United 
> Kingdom
> and even I’ve heard some US isps starting to block websites.
> 
>  
> 
> Please let me know what you all think, thank you.
> 
>  
> 
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Relay advocate introduction

[Colin Childs]

Hi Torix,

Thank you for your ideas, I have made note of this and will review this list 
early next week.

I hope you all have a fantastic weekend!

> On May 17, 2018, at 4:44 PM, to...@protonmail.com wrote:
> 
> Dear Colin,
> 
> Perhaps your new role would cover this - I understand from the list that the 
> uneven distribution of the Tor network around the world is a concern.  My 
> first thought is that I should run a relay in India, which has a robust 
> internet, and speaks English.  However, I don't know whom to contact over 
> there to set something up.  I was wondering if it might be worth producing a 
> list of ISPs and urls in preferred geographically distributed countries.  
> 
> Maybe we have this resource already, but the closest page I've found is the 
> Good/Bad ISPs page:
> https://trac.torproject.org/projects/tor/wiki/doc/GoodBadISPs
> but that includes mostly countries with  high percentages of tor relays, and 
> is mostly about ISP responses to exit nodes.
> 
> If I were a new person who wanted to run a relay, I would probably use the 
> cloud provider I know about or have connections with already.  If I had a 
> list of providers/urls in other countries, however, there would be a better 
> chance I would set it up somewhere else.
> 
> Just thinking..
> 
> --Torix
> 
> 
> ​Sent with ProtonMail Secure Email.​
> 
> ‐‐‐ Original Message ‐‐‐
> 
> On May 16, 2018 11:47 AM, Colin Childs  wrote:
> 
>> Hello tor-relays!
>> 
>> My name is Colin Childs, I have been the support and translation coordinator 
>> at the Tor Project for a number of years. I am also a founding director of a 
>> TorServers partner named Coldhak here in Canada.
>> 
>> Recently, my role within the Tor Project has changed, and I am starting as 
>> the new relay advocate (as well as localization coordinator, until this 
>> responsibility can be reassigned). My job will be improving the health / 
>> happiness of the relay operator community, expanding the relay operator 
>> community, and helping improve the community bonds between operators.
>> 
>> A few of the things I will be working on are:
>> 
>> 1.  Open a #tor-relays IRC channel (this is now open, everyone should join!)
>> 2.  Reach out to realy operator groups / individuals to introduce myself and 
>> solicit feedback (beginning today)
>> 3.  Plan a relay operators meet-up at PETS in July (details to come in 
>> another email)
>> 4.  Form a team of trusted technical and legal volunteers able to help 
>> operators around the world.
>> 5.  Organizing a larger "relay operator summit" event
>> 6.  Working with operators to resolve some of the recent issues brought up 
>> on this list (DNS provider, DNSSEC, EOL releases, etc..)
>> 
>>While reaching out to operators is point 2 in that list, if you have 
>> suggestions or feedback that you'd like to send, please do not hesitate to 
>> reach out to me! I would love to hear from all of you with the things you 
>> would find most helpful from me / the Tor Project. While I cannot guarantee 
>> we can facilitate every request, we will do our best to help!
>> 
>>I look forward to working with all of you in the future, and I hope 
>> you're having a great week!
>> 
>> 
>> tor-relays mailing list
>> 
>> tor-relays@lists.torproject.org
>> 
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Help! I'm ripping my hair out trying to get Quintex on IPv6 exit

[John Ricketts]

All,


I've been trying to bring a relay up for testing IPv6.  Relay name is 
QuintexAirVPN1.  Metrics website says that the OR Port is unreachable on 
[2620:7:6000:::c759:df51]:80 - which isn't where I set the ORPort - should 
be 443...



https://metrics.torproject.org/rs.html#details/F7447E99EB5CBD4D5EB913EE0E35AC642B5C1EF3

Config is as follows:

ORPort 443
ORPort [2620:7:6000:::c759:df51]:443
Nickname QuintexAirVPN1
ContactInfo John L. Ricketts, PhD 
DirPort 80 # what port to advertise for directory connections
DirPortFrontPage /etc/tor/tor-exit-notice.html
DisableDebuggerAttachment 0
Sandbox 1
ExitRelay 1
IPv6Exit 1
ExitPolicy accept *:*
ExitPolicy accept6 *:*
NumCPUs 2


Help!! LOL
John L. Ricketts, PhD
Quintex Alliance Consulting
(325) 262-3488
j...@quintex.com

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Help! I'm ripping my hair out trying to get Quintex on IPv6 exit

[teor]

Hi,

> On 19 May 2018, at 13:24, John Ricketts  wrote:
>  
> I’ve been trying to bring a relay up for testing IPv6.  Relay name is 
> QuintexAirVPN1.  Metrics website says that the OR Port is unreachable on 
> [2620:7:6000:::c759:df51]:80 – which isn’t where I set the ORPort – 
> should be 443…
>  
>  
> https://metrics.torproject.org/rs.html#details/F7447E99EB5CBD4D5EB913EE0E35AC642B5C1EF3
>  
> Config is as follows:
>  
> ORPort 443
> ORPort [2620:7:6000:::c759:df51]:443
> Nickname QuintexAirVPN1
> ContactInfo John L. Ricketts, PhD 
> DirPort 80 # what port to advertise for directory connections
> DirPortFrontPage /etc/tor/tor-exit-notice.html
> DisableDebuggerAttachment 0
> Sandbox 1
> ExitRelay 1
> IPv6Exit 1
> ExitPolicy accept *:*
> ExitPolicy accept6 *:*
> NumCPUs 2

Relay Search is showing you outdated data from the 0200 UTC consensus.
Notice that the exit policy in relay search is also different from your torrc.

Consensus Health has data from the 0300 UTC consensus. It says your relay is 
reachable over IPv4 and IPv6 (Running):
https://consensus-health.torproject.org/consensus-health-2018-05-19-02-00.html#F7447E99EB5CBD4D5EB913EE0E35AC642B5C1EF3

Please wait a few hours for relay search to catch up.

T___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Help! I'm ripping my hair out trying to get Quintex on IPv6 exit

[John Ricketts]

Oh, thank !  I thought I was nuts!  I'm fixing 
to update 49 more clients.

Thanks Tim.

On May 18, 2018, at 22:47, teor mailto:teor2...@gmail.com>> 
wrote:

Hi,

On 19 May 2018, at 13:24, John Ricketts 
mailto:j...@quintex.com>> wrote:


I've been trying to bring a relay up for testing IPv6.  Relay name is 
QuintexAirVPN1.  Metrics website says that the OR Port is unreachable on 
[2620:7:6000:::c759:df51]:80 - which isn't where I set the ORPort - should 
be 443...



https://metrics.torproject.org/rs.html#details/F7447E99EB5CBD4D5EB913EE0E35AC642B5C1EF3

Config is as follows:

ORPort 443
ORPort [2620:7:6000:::c759:df51]:443
Nickname QuintexAirVPN1
ContactInfo John L. Ricketts, PhD 
DirPort 80 # what port to advertise for directory connections
DirPortFrontPage /etc/tor/tor-exit-notice.html
DisableDebuggerAttachment 0
Sandbox 1
ExitRelay 1
IPv6Exit 1
ExitPolicy accept *:*
ExitPolicy accept6 *:*
NumCPUs 2

Relay Search is showing you outdated data from the 0200 UTC consensus.
Notice that the exit policy in relay search is also different from your torrc.

Consensus Health has data from the 0300 UTC consensus. It says your relay is 
reachable over IPv4 and IPv6 (Running):
https://consensus-health.torproject.org/consensus-health-2018-05-19-02-00.html#F7447E99EB5CBD4D5EB913EE0E35AC642B5C1EF3

Please wait a few hours for relay search to catch up.

T
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays