Opened 2 years ago

Last modified 10 months ago

#26691 new enhancement

add 'working DNS' to the list of mandatory requirements for the 'exit' flag

Reported by: nusenu Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: needs-proposal, tor-exit, tor-dirauth, tbb-needs, network-health
Cc: arthuredelstein Actual Points:
Parent ID: #24014 Points:
Reviewer: Sponsor:


current requirements for the exit flag as per the spec:

"Exit" -- A router is called an 'Exit' iff it allows exits to at

least one /8 address space on each of ports 80 and 443. (Up until
Tor version 0.3.2, the flag was assigned if relays exit to at least
two of the ports 80, 443, and 6667.)

Recently the requirements for the exit flag have been changed to make 80+443 mandatory because exits only allowing 80 OR 443 would introduce to much breakage, the same is true for exits not able to resolve any DNS requests, their usefulness as an exit is limited.

"Exit" if the router is more useful for building
general-purpose exit circuits than for relay circuits.

So lets add the DNS requirement to the list of requirements for the exit flag.

The requirement should be automatically verified by dir auths by attempting DNS resolution for each exit candidate up to 5 times a day. If more than 2 resolution attempts fail the 'working DNS' requirement is not met. After 3 successful attempts no further attempts are necessary for that day.

Relays loosing the exit flag have a chance to regain it after being tested the next day again.

Child Tickets

Change History (8)

comment:1 Changed 2 years ago by asn

Keywords: tor-dirauth added

comment:2 Changed 2 years ago by nusenu

I expect this to become almost unnecessary if #24014 is implemented and deployed.

So I will check again once this happened.

comment:3 Changed 2 years ago by arthuredelstein

Cc: arthuredelstein added

comment:4 Changed 2 years ago by arthuredelstein

Keywords: tbb-wants added

comment:5 Changed 2 years ago by teor

Keywords: tbb-needs added; tbb-wants removed

Prefer the more common tbb-needs to tbb-wants.
There doesn't appear to be any difference in how much TBB needs based on the flag.

comment:6 Changed 2 years ago by teor

Parent ID: #24014

comment:7 Changed 16 months ago by cypherpunks

would it somehow possible to use relays without exit flag but exitpolicy set? so that we still can make use of them while dns is broken for some reason. (can be forced by 3rd party adversary to loose exit flag than by making it timeout dns requests) so that all exit connection streams with IP as Destination still can extend through brokendns relay without "DNS-Exit" flag?

comment:8 Changed 10 months ago by gk

Keywords: network-health added
Note: See TracTickets for help on using tickets.