[Tor-BSD] New: DNS hijacking Old: Re: NYCBUG1 earns a T-shirt!

nanotek nanotek at bsdbox.co
Thu Dec 12 00:51:57 EST 2013


> nanotek:
>>
>> Congrats!
>>
>> Maybe my dilemma can be solved with the help of this list, and
>> generate some discussion in the process. I'm trying to establish an
>> exit relay on my FreeBSD box but am facing some problems. I haven't
>> attempted fixing this in over a week because I came to the conclusion
>> that my ISP is hijacking my DNS requests (which would be a very
>> recent development as I was running a relay on my Win7 box with no
>> problems not too long ago), and that is rendering my relay
>> inaccessible. You all would have a better understanding than me
>> though.
>
> I had this a long while ago with various relays and bridges.. "DNS
> hijacking" IIRC, is really not a deterrent to running a relay.  It just
> means that if you attempt to hit a non-existent domain, your DNS is
> redirecting you to a search page.
>
> The best bet is just to use other public DNS, and not your providers.
>
>>
>> Some intel to work with:
>>
>> ## torrc SocksPort 0 Log notice file
>> /usr/local/var/log/tor/notices.log RunAsDaemon 1 ORPort 9001 Nickname
>> alphadet RelayBandwidthRate 256 KB RelayBandwidthBurst 512 KB
>> AccountingMax 20 GB AccountingStart month 3 15:00 ContactInfo mark
>> 696872F91EF8745B4FDF99061CB0654ACD57BC18 <mark at bsdbox.co
>> <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>>
>
> Hmmm... why would you use this list's mailman interface in your contact
> info?
>
>> DirPort 9030 ExitPolicy accept *:6660-6667,reject *:*
>>
>> ## relevent excerpts from notices.log Dec 03 03:12:40.000 [notice]
>> Reloaded microdescriptor cache.  Found 0 descriptors. [...] Dec 03
>> 03:12:41.000 [notice] Heartbeat: It seems like we are not in the
>> cached consensus. Dec 03 03:12:41.000 [notice] Heartbeat: Tor's
>> uptime is 0:00 hours, with 3 circuits open. I've sent 0 kB and
>> received 0 kB. [...] Dec 03 03:12:51.000 [notice] We'd like to launch
>> a circuit to handle a connection, but we already have 32
>> general-purpose client circuits pending. Waiting until some finish.
>> [...] Dec 03 03:13:33.000 [notice] We now have enough directory
>> information to build circuits. [...] Dec 03 03:13:34.000 [notice]
>> Bootstrapped 90%: Establishing a Tor circuit. Dec 03 03:13:38.000
>> [notice] Tor has successfully opened a circuit. Looks like client
>> functionality is working. Dec 03 03:13:38.000 [notice] Tor has
>> successfully opened a circuit. Looks like client functionality is
>> working. Dec 03 03:13:38.000 [notice] Bootstrapped 100%: Done. Dec 03
>> 03:13:38.000 [notice] Bootstrapped 100%: Done. Dec 03 03:13:38.000
>> [notice] Now checking whether ORPort 110.146.133.98:9001 and DirPort
>> 110.146.133.98:9030 are reachable... (this may take up to 20 minutes
>> -- look for log messages indicating success) Dec 03 03:13:38.000
>> [notice] Now checking whether ORPort 110.146.133.98:9001 and DirPort
>> 110.146.133.98:9030 are reachable... (this may take up to 20 minutes
>> -- look for log messages indicating success) Dec 03 03:13:41.000
>> [notice] Self-testing indicates your ORPort is reachable from the
>> outside. Excellent. Publishing server descriptor. Dec 03 03:13:46.000
>> [notice] Self-testing indicates your DirPort is reachable from the
>> outside. Excellent.
>>
>> ## tor process PID USERNAME    THR PRI NICE   SIZE    RES STATE
>> TIME   WCPU COMMAND 54844 _tor          2  20    0 65536K 45648K
>> sbwait   0:16  0.00% tor
>>
>> This all would indicate Tor is successfully running as a relay.
>> Atlas, however, still reports differently:
>> https://atlas.torproject.org/#details/EE16D7A4FBCF6494FEE75C856D76782295CB9DC4
>>
>>
>
> nothing showed up, as you noted.  I wasnt able to connect to it either.
>
>>
>>
>> However, the following reveals, what I believe is, the problem:
>>
>> ## more notices.log excerpts Dec 02 15:37:54.000 [warn] Mismatched
>> accounting interval: moved by -87.92%. Starting a fresh one. Dec 03
>> 03:12:38.000 [notice] No AES engine found; using AES_* functions. Dec
>> 03 03:12:38.000 [notice] This version of OpenSSL has a slow
>> implementation of counter mode; not using it. Dec 03 03:12:40.000
>> [notice] We weren't able to find support for all of the TLS
>> ciphersuites that we wanted to advertise. This won't hurt security,
>> but it might make your Tor (if run as a client) more easy for censors
>> to block. Dec 03 03:13:44.000 [notice] Your DNS provider gave an
>> answer for "hxfu4dgtdhch", which is not supposed to exist. Apparently
>> they are hijacking DNS failures. Trying to correct for this. We've
>> noticed 1 possibly bad address so far.
>>
>
> I would start troubleshooting by turning accounting off.  Are you on a
> metered connection?
>
>>
>>
>> What is hard to decipher, is that (a) the relay worked for brief
>> moments (data can be found on both metrics. and
>> atlas.torproject.org), and (b) the tor log explicitly states that the
>> relay is reachable.
>>
>> I'd love to get a relay going on this box, if you have any ideas I
>> am more than willing to implement them. Thanks!
>
> What tor version is it?
>
> Is there anything else happening in the log file after the dns?
>
>
> When it's up at least, can you run tcpdump on the interface to see?
>
> Maybe something like:
>
> $  tcpdump -e -i <interface> | grep 9001
>
> g
> _______________________________________________
> A list focused on porting and running Tor software on *BSD Unix
> Tor-BSD mailing list
> Tor-BSD at nycbug.org
> http://www.nycbug.org/mailman/listinfo/tor-bsd
>

Removed the old jail, created a new one. Built latest Tor from ports
with default build options. Here's my /usr/local/etc/tor/torrc:

SocksPort 0
ORPort 9001
Address zero.bsdbox.co
Nickname zeroAlpha
RelayBandwidthRate 1024 KB  # Throttle traffic to 100KB/s (800Kbps)
RelayBandwidthBurst 1024 KB # But allow bursts up to 200KB/s (1600Kbps)
ContactInfo zeroAlpha <zero at bsdbox.co>
DirPort 9030 # what port to advertise for directory connections
DirPortFrontPage /usr/local/etc/tor/tor-exit-notice.html
ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more


Launched Tor and took a look at the logs:

root at zero:/usr/ports/security/tor # service tor start
Starting tor.
Dec 12 04:19:36.876 [notice] Tor v0.2.3.25 (git-17c24b3118224d65)
running on Fre
eBSD.
Dec 12 04:19:36.877 [notice] Tor can't help you if you use it wrong!
Learn how t
o be safe at https://www.torproject.org/download/download#warning
Dec 12 04:19:36.877 [notice] Read configuration file
"/usr/local/etc/tor/torrc".
Dec 12 04:19:36.909 [notice] Initialized libevent version 2.0.21-stable
using me
thod kqueue. Good.
Dec 12 04:19:36.909 [notice] Opening OR listener on 0.0.0.0:9001
Dec 12 04:19:36.909 [notice] Opening Directory listener on 0.0.0.0:9030

root at zero:/usr/ports/security/tor # tail -F /var/log/tor
Dec 12 04:19:47.000 [notice] Bootstrapped 85%: Finishing handshake with
first ho
p.
Dec 12 04:19:47.000 [notice] We weren't able to find support for all of
the TLS
ciphersuites that we wanted to advertise. This won't hurt security, but
it might
  make your Tor (if run as a client) more easy for censors to block.
Dec 12 04:19:47.000 [notice] To correct this, use a more recent OpenSSL,
built w
ithout disabling any secure ciphers or features.
Dec 12 04:19:49.000 [notice] Bootstrapped 90%: Establishing a Tor circuit.
Dec 12 04:19:50.000 [notice] Tor has successfully opened a circuit.
Looks like c
lient functionality is working.
Dec 12 04:19:50.000 [notice] Bootstrapped 100%: Done.
Dec 12 04:19:50.000 [notice] Now checking whether ORPort
110.146.148.136:9001 an
d DirPort 110.146.148.136:9030 are reachable... (this may take up to 20
minutes
-- look for log messages indicating success)
Dec 12 04:19:52.000 [notice] Self-testing indicates your DirPort is
reachable fr
om the outside. Excellent.
Dec 12 04:19:56.000 [notice] Self-testing indicates your ORPort is
reachable fro
m the outside. Excellent. Publishing server descriptor.
Dec 12 04:20:02.000 [notice] Performing bandwidth self-test...done.
Dec 12 04:20:02.000 [notice] Performing bandwidth self-test...done.
Dec 12 04:21:45.000 [notice] Your DNS provider gave an answer for "didnd
tqnvv6", which is not supposed to exist. Apparently they are hijacking
DNS failures. Trying to correct for this. We've noticed 1 possibly bad
address so far.


Looks like it's running. Give it some time to show up on Atlas. Could
someone try connecting to it in the interim? Thanks.

n.b. Here's a link to the tcpdump output:
https://bsdbox.co/cloud/public.php?service=files&t=3661073c4303ca96728c072d76f55cfb

Thanks.

-- 
nanotek at bsdbox.co





More information about the Tor-BSD mailing list