Should we warn when exit nodes are using opendns or google dns?
Somewhat related to discussion on #8093 (moved) -- people are still setting up exit nodes to use OpenDNS or Google DNS. Is that really a safe idea? That makes it distressingly easy for these DNS services (or anybody watching them) to get timing information on user DNS requests.
Furthermore, the default OpenDNS configuration blocks some stuff. If we don't warn about OpenDNS in general, maybe we should warn when configuring an OpenDNS server in a way that hasn't disabled blocking.
Activity
changed milestone to %Tor: unspecified
It's a good start; let me make a few suggestions.
- There should be one table; it should probably list stuff like { "8.8.8.8", "Google" }, ...
- The message should be something more like, "it looks like you're using a public %s nameserver for your Tor exit node. This can be a problem for the network: please see (URL)" and then link to some URL.
- I think we need to detect whether the function is present using autoconf, and not just check for libevent 2. After all, many libevent 2.0 versions are out there already, without this new function.
- In the new Libevent function, you extract started_at from the evdns_base before you lock the evdns_base. That's a potential race condition, I think.
Trac:
Status: needs_review to needs_revision-
I've added a function evdns_base_get_nameserver_add() to libevent. 2.1.6-beta should have it.
I've revised the patch to use it in "feature12389". It needs a real URL and a test to see whether the option exists.
Trac:
Milestone: Tor: 0.2.6.x-final to Tor: 0.2.7.x-final
Status: needs_revision to needs_review I think we shouldn't implement this. I think Google DNS for many people is a sane choice, saner than what their ISP provides by default. Warning people off of it might not make them provide better service as exit relays. It surely is a tradeoff, but in other instances we're happy with the tradeoff (think meek - your bridge is a cdn, just like all the websites you fetch).
Which DNS server to pick is an operational choice by the relay operator, and we don't like telling people what to do in general unless we have a very good reason for it or have a policy on that such behaviour is clearly bad (like modifying content, for example). Why do we pick opendns and google here? Are there others we should pick? Why do we get to decide who is scary and who is not? A counterargument to this is that most people probably don't think about their dns provider at all, so we have a chance to reach them.
I think such a recommendation is best worded as a recommendation with evidence, maybe a blog post or tor-relays posting. Embedding a warning like that into tor makes it - to me - an official torproject policy saying "google dns is bad".
-
My counterargument is that for every one exit node operator who has used google dns after a careful consideration of risks and advantages, I bet there is at least one other who never thought about it, and wouldn't read a document full of recommendations if we made one.
If we make the warning phrased right, it will sound advisory rather commanding.
Replying to nickm:
My counterargument is that for every one exit node operator who has used google dns after a careful consideration of risks and advantages, I bet there is at least one other who never thought about it, and wouldn't read a document full of recommendations if we made one.
If we make the warning phrased right, it will sound advisory rather commanding.
Completely agree with Nick here.