Should we tell Exits to reject all traffic if DNS fails?

[teor]

Tor Exits with broken DNS still allow Exit traffic.

But this slows down initial connections for clients, because the Exit will refuse all DNS requests. (Clients no longer cache DNS.)

Perhaps we should make Exits refuse traffic until their DNS is working?
(Unless a non-default option is set?)

This would also fix #21900, where a broken DNS config really does stop all Exit traffic.

[arma]

I think we think we already have exits refuse to be exits if their dns isn't working.

See check_dns_honesty_callback() and the dns_launch_correctness_checks() that it calls.

It looks like it could be improved.

[teor]

Replying to arma:

I think we think we already have exits refuse to be exits if their dns isn't working.

See check_dns_honesty_callback() and the dns_launch_correctness_checks() that it calls.

Well, maybe we try, but it doesn't work consistently right now.

In fact, chutney's upcoming offline mode (#21903) will rely on the fact that exits without DNS still allow exiting to IP addresses.

It looks like it could be improved.

If we fix this, we need to make sure AllowBrokenDNSConfig actually works. Or we need to add an option that maintains the current behaviour, because chutney relies on it.

[arma]

For chutney, see also

  if (!get_options()->ServerDNSDetectHijacking)
    return;

[cypherpunks]

But this slows down initial connections for clients, because the Exit will refuse all DNS requests. (Clients no longer cache DNS.)

#21394

[teor]

Chutney now has a workaround for this in #21903.