Opened 6 years ago

Closed 5 years ago

#8608 closed task (worksforme)

discuss deployment of oonib's dns_helper service

Reported by: aagbsn Owned by: hellais
Priority: Medium Milestone:
Component: Archived/Ooni Version:
Severity: Keywords: oonib, dns_helper, dns
Cc: hellais Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

OONI Backend (oonib) provides a dns_helper service that responds to queries on port 53 udp/tcp.

Unfortunately, the service is abused; whenever the helper is running it is being bombarded with queries from (presumably spoofed) addresses. This is a known problem with running an open recursive resolver. How can we mitigate the abuse of this service?

One possibility is to launch the dns_helper service on demand for specific OONI tests. A problem with this approach is that a client cannot use the test helper unless it also creates a report with the associated collector (which currently also requires a working Tor).

Another possibility is to implement rate-limiting, which would reduce the amount of abuse. A problem with this approach is that ooni-probe clients may see an increase in resolution failures. We don't currently dynamically adjust ooni-probe's request rate, though this is a desired feature.

And another item to consider is how DNS resolution is performed on oonib. Presently, it forwards requests to an upstream resolver (by default, google public DNS), which might cause problems given the volume of DNS requests seen. We should consider deploying our own DNS resolver locally or near each collector.

Child Tickets

Change History (1)

comment:1 Changed 5 years ago by hellais

Resolution: worksforme
Status: newclosed

The current nodes are not experiencing these sorts of issues. If this problems arises again we should create a new ticket.

Note: See TracTickets for help on using tickets.