Opened 5 months ago

Last modified 5 months ago

#28269 new defect

Repeated HSFETCH queries fail with QUERY_NO_HSDIR

Reported by: atagar Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-hs, tor-control
Cc: irl Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Hi lovely network team. Iain is working on a script to inform him of hidden service descriptor age. He's using stem to fetch them but unfortunately after a few HSFETCH calls it begins to fail with QUERY_NO_HSDIR. Maybe some attempt at rate limiting? Once the tor process gets into a borked state it doesn't seem to recover until I bounce the tor process.

Here's an example of my first query (which succeeds)...

>>> SETEVENTS HS_DESC HS_DESC_CONTENT
250 OK

>>> HSFETCH facebookcorewwwi
250 OK

>>> /events
HS_DESC_CONTENT facebookcorewwwi 3jjxhgi72xguhnihk4nwzrcpyvwf3ml5 $DA722ECCB9C0DE462C4FA585B93C99CCCA1C7547~SIRDRAKE2018
rendezvous-service-descriptor 3jjxhgi72xguhnihk4nwzrcpyvwf3ml5
version 2
permanent-key
-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBALfng/krEfrBcvblDiM3PAkowkiAKxLoTsXt3nPEzyTP6Cw+Gdr0ODje
hmxTngN1pKiH7szk4Q1p2RabOrUHWwXmGXeDDNs00fcyU6HupgqsCoKOqCsmPac6
/58apC64A7xHeS02wtfWJp6qiZ8i6GGu6xWXRWux+ShPgcHvkajRAgMahU8=
-----END RSA PUBLIC KEY-----
secret-id-part wuyfue4erz2hlh4d5o4kduweosco6rw4
publication-time 2018-10-31 18:00:00
protocol-versions 2,3
introduction-points
-----BEGIN MESSAGE-----
aW50cm9kdWN0aW9uLXBvaW50IHR6c3U3ZXh5amVlZWU2cm92cDd1Z25lM3pxemlo
ZHk1CmlwLWFkZHJlc3MgMTQ0Ljc2Ljk2LjYKb25pb24tcG9ydCA5MDAxCm9uaW9u
... lot more base64...
L1UycythTGNtYmhITGJPWlhZRjRMcERTV1R3THkwb0ZzTEFnTUJBQUU9Ci0tLS0t
RU5EIFJTQSBQVUJMSUMgS0VZLS0tLS0KCg==
-----END MESSAGE-----
signature
-----BEGIN SIGNATURE-----
cMLWu42NG+I5hH9QAHZUQ8eDGCUzcny/uN/FwAYiLsUSc3QLg7MKbRTZ3v2ARonB
wcUgEAGpO4wDjuEj2ivNmpt6U0smJ7nM5KTWy4l0732QnTeSEX+P53qIJ7KwxDro
+JyBARfK4orCMieHuxYtJop6YgVRQ8XN6NtP6NiDrWY=
-----END SIGNATURE-----
OK
HS_DESC RECEIVED facebookcorewwwi NO_AUTH $DA722ECCB9C0DE462C4FA585B93C99CCCA1C7547~SIRDRAKE2018 3jjxhgi72xguhnihk4nwzrcpyvwf3ml5
HS_DESC REQUESTED facebookcorewwwi NO_AUTH $DA722ECCB9C0DE462C4FA585B93C99CCCA1C7547~SIRDRAKE2018 3jjxhgi72xguhnihk4nwzrcpyvwf3ml5

... and here's an example of my fourth onward, which always fail.

>>> /events clear
cleared event backlog

>>> HSFETCH facebookcorewwwi
250 OK

>>> /events
HS_DESC_CONTENT facebookcorewwwi 3jjxhgi72xguhnihk4nwzrcpyvwf3ml5 UNKNOWN

OK
HS_DESC FAILED facebookcorewwwi NO_AUTH UNKNOWN REASON=QUERY_NO_HSDIR
HS_DESC_CONTENT facebookcorewwwi csq76xfzmtyepzmkhzz2lb7ja3vmylwu UNKNOWN

OK
HS_DESC FAILED facebookcorewwwi NO_AUTH UNKNOWN REASON=QUERY_NO_HSDIR

I'm filing this on irl's behalf. If anything's needed from me on the stem front just let me know.

Child Tickets

Change History (4)

comment:1 Changed 5 months ago by dgoulet

There is. Upon a successful fetch of a descriptor, you can't query again that HSDir until:

/** The period for which a hidden service directory cannot be queried for
 * the same descriptor ID again. */
#define REND_HID_SERV_DIR_REQUERY_PERIOD (15 * 60)

However, the "HSDir queried time" cache can be purged with a NEWNYM signal.

But please, lets be careful here, there is a reason why that limit is there, to avoid network load and bombarding HSDir with requests like for example a client script that could be to insistent. ;)

comment:2 Changed 5 months ago by atagar

Great, thanks David! Maybe we can provide a more helpful controller response? QUERY_NO_HSDIR indicates that we don't have a hidden service directory available. Not that we're being throttled, or what to do.

comment:3 in reply to:  2 Changed 5 months ago by dgoulet

Keywords: tor-hs tor-control added
Milestone: Tor: unspecified

Replying to atagar:

Great, thanks David! Maybe we can provide a more helpful controller response? QUERY_NO_HSDIR indicates that we don't have a hidden service directory available. Not that we're being throttled, or what to do.

There are two cases where you get QUERY_NO_HSDIR:

  1. Rate limited and no more are available from the set you can query.
  1. All of the HSDir do not have the .onion descriptor so you have no more to query.

In both cases, they could probably benefit to have their own distinctive error code.

comment:4 Changed 5 months ago by irl

Cc: irl added

Ok. It would definitely help me to be able to handle the rate limiting by informing the user that they have incorrectly configured the check and should have it only run every 30 minutes.

For now I'll just leave it unhandled and leave a comment in the script.

Note: See TracTickets for help on using tickets.