Re: [tor-relays] DNS server
DNS Caching (not Cash) simple does a normal lookup for an DNS domain requested and remembers it for some period of time so that it can answer from its cache of known addresses in microseconds (instead of the hundreds of milliseconds it might take to inquire over the internet) the next time that address resolution is requested. All caching software will eventually "forget" and re-inquire, since addresses do change occasionally. But think of that happening once every hour or four. For example, think of a bitcoin miner setup to mine against a pool, say btc.viabtc.com. The first time the miner asks for work a request is sent to the caching DNS server to resolve btc.viabtc.com. The server, doesn't know who that is so goes upstream to the internet to its forwarding server, lets say 8.8.8.8, to get the answer. That server responds in a, say 150 milliseconds with the answer: 172.65.233.152. The caching server remembers that answer and responds with it to the bitcoin miner who then initiates a connection to 172.64.233.152: ( is the port number on the server that responds to work request). About 2 minutes later, the miner will have completed its work and will request more work from btc.viabtc.com - but this time the caching server knows the answer and can respond in a millisecond or less with the answer. So its more efficient... Not a bit idea of your site has 1 bitcoin miner, but if it a farm, it might have anywhere from 100 to 100,000 bitcoin miners - that difference of 149 milliseconds really adds up. With regards to "safety", I suppose... maybe. If the google public dns server got hacked and instead of answering with 172.65.233.152 instead answered with 172.65.230.171 (a competitors pool that also runs on port ), you would have the hours before the cache expired for google to figure it out and correct things. The "maybe" comes from the timing required. If you caching dns server happened to hit googles dns server when it was corrupted, and google fixed things seconds later, your caching server would continue to respond with the wrong address until the entry expired. So I'd say "Not really". Hope the above explains why... On 4/9/2022 7:05 PM, onion...@riseup.net wrote: Does Cash DNS give some advantages in safety? On 2022-04-08 08:06, Thoughts wrote: Note that any dns caching software would help, unbound is just one popular one. dnsmasq is another. In fact, if you wanted to, you could use the full bind package and configure it for caching and forwarding, although that would be a bit of overkill. Once you install caching software, make sure your /etc/resolv.conf or equivalent is pointing to 127.0.0.1 as its first reference. On 4/8/2022 2:04 AM, abuse--- via tor-relays wrote: From my point of view, it's mostly about reliability. You can use the hoster's DNS resolver, but be aware that a high-bandwidth exit asks a lot of DNS requests. Not every hoster's DNS resolver might be able to cope with it and as a result your exit might give users a poor experience. Best Regards, Kristian Apr 8, 2022, 07:20 by onion...@riseup.net: I was setting up exit nodes and I had a question. Why is it recommended to use DNS caching software Unbound? What benefits does it provide compared to using hoster's DNS resolver? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Relay question
> 30 new exits at Frantec. Did you follow the AUP and send Francisco a ticket > _beforehand_? Reverse DNS! Exit policy Port: 465, 587! > https://buyvm.net/acceptable-use-policy/ No, we did not pay attention to their AUP. We have long been using their services for proxy and there were no problems. Thank you for reminding. > You only set up IPv4. At Frantek you also have IPv6 on every VM. If you need > help setting it up, you can ask here and specify your OS. We think that IPv6 is rarely used and therefore did not put it up. Site yui.cat shows that our nodes offline because not configured IPv6, right? ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Does Tor work with Intel QAT acceleration
Hi all I have my first Tor relay up und running. It's currently installed on a little desktop computer with an Intel i5 9500T CPU. My Internet connection is 10Gb/s symetric. From this bandwidth, I would be able to spend a good part for supporting the Tor network. With that little machine, it seems that it would max out at somewhere at ~30 MBytes/s. For my definitive Tor relay hardware, I'm currently researching some options, which would be capable of handling Tor traffic at the rate of 200 to 300MBytes. Even it would be used nowadays, but who knows whats coming in the future and I hope this relay would last 5 years ore so. It looks to me, that with a normal CPU, it's impossible to reach my goal. But then I encountered, that Intel has the Quick Assist Technoloy (QAT) integrated in some of their products (ie. Atom C3xx8). This QAT can be used with OpenSSL as a hardware accelerator for encryption. There also exist dedicated PCIe cards with QAT (ie. Netgate CPIC-8955). Searching the Internet, I couldn't find any information if QAT would be helpful with Tor. But Tor uses the OpenSSL library and this can use the QAT acceleration. Is there anyone who has tried this und can share his expirience? Thanks in advance Andreas ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] DNS server
Does Cash DNS give some advantages in safety? On 2022-04-08 08:06, Thoughts wrote: > Note that any dns caching software would help, unbound is just one > popular one. dnsmasq is another. In fact, if you wanted to, you > could use the full bind package and configure it for caching and > forwarding, although that would be a bit of overkill. Once you > install caching software, make sure your /etc/resolv.conf or > equivalent is pointing to 127.0.0.1 as its first reference. > On 4/8/2022 2:04 AM, abuse--- via tor-relays wrote: > >> From my point of view, it's mostly about reliability. You can use >> the hoster's DNS resolver, but be aware that a high-bandwidth exit >> asks a lot of DNS requests. Not every hoster's DNS resolver might be >> able to cope with it and as a result your exit might give users a >> poor experience. >> >> Best Regards, >> >> Kristian >> >> Apr 8, 2022, 07:20 by onion...@riseup.net: >> >>> I was setting up exit nodes and I had a question. Why is it >>> recommended >>> >>> to use DNS caching software Unbound? What benefits does it provide >>> >>> compared to using hoster's DNS resolver? >>> >>> ___ >>> >>> tor-relays mailing list >>> >>> tor-relays@lists.torproject.org >>> >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >> >> ___ >> tor-relays mailing list >> tor-relays@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Relay question
On Sunday, April 10, 2022 2:04:02 AM CEST onion...@riseup.net wrote: > > 30 new exits at Frantec. Did you follow the AUP and send Francisco a > > ticket > > _beforehand_? Reverse DNS! Exit policy Port: 465, 587! > > https://buyvm.net/acceptable-use-policy/ > > No, we did not pay attention to their AUP. We have long been using their > services for proxy and there were no problems. Thank you for reminding. > > > You only set up IPv4. At Frantek you also have IPv6 on every VM. If you > > need help setting it up, you can ask here and specify your OS. > > We think that IPv6 is rarely used and therefore did not put it up. The Tor project has invested a lot of time and effort into improving IPv6 over the last few years. The aim is to also enable IPv6 only relays. We want to achieve more diversity, Tor-exit relays under different ASNs and multiple ISPs. With IPv4 this is difficult. IP's are empty and to get a /24 you have to pay around 5000,- EUR in the first year with RIPE. One /24 is the least you can announce as an ASN. You can't split that between different data centers. IPv6 is easier and cheaper to get. In addition, there are more and more ISPs that only offer IPv6. IPv6 only relays are only possible when almost all Tor relays support it. Currently about 75% Tor exits¹ and 50% entry/middle relays. https://nusenu.github.io/OrNetStats/#ipv6-relay-stats Therefore, anyone who can should configure IPv6 or dual stack. > Site > yui.cat shows that our nodes offline because not configured IPv6, right? No, yui.cat has nothing to do with it. This is a private status page using data from onionoo and Tor-metrics. First look at what's in the syslog. If you need help then post the errors and your torrc. When the Tor daemon is running without errors than as already mentioned, I think Francisco took you offline because your relays were blacklisted for open SMTP ports. Check if you have tickets in stallion. Or ask in the Frantech community chat on Discord, Matrix and IRC. ¹Heck, we've lost some IPv6 % since relayon is down. :-( -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom! signature.asc Description: This is a digitally signed message part. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Does Tor work with Intel QAT acceleration
Two suggestions: 1) Run speedtest (https://www.speedtest.net) from behind your firewall and verify your actual bandwidth (or at least get a good approximation ). 2) Check the brand of NIC in your current machine. Intel NICs are reportedly much more efficient than RealTek for handling large number of packets - which is why they are recommended for most firewall machines. Suspect that logic would apply for a Tor Relay as well. Suspect you also want a CPU with AES-NI support. Check the specs on the web, AES-NI should be called out. "cat /proc/cpuinfo | grep aes" will also tell you if your running some flavor of linux. Kevin ps. Dig around on the web for firewall hardware recommendations. I know I've seen some tables on throughput for pfsense, shouldn't be too hard to find and might throw some light on the situation. pps. Very jealous of your connectivity! On 4/10/2022 2:32 PM, Andreas Bollhalder wrote: Hi all I have my first Tor relay up und running. It's currently installed on a little desktop computer with an Intel i5 9500T CPU. My Internet connection is 10Gb/s symetric. From this bandwidth, I would be able to spend a good part for supporting the Tor network. With that little machine, it seems that it would max out at somewhere at ~30 MBytes/s. For my definitive Tor relay hardware, I'm currently researching some options, which would be capable of handling Tor traffic at the rate of 200 to 300MBytes. Even it would be used nowadays, but who knows whats coming in the future and I hope this relay would last 5 years ore so. It looks to me, that with a normal CPU, it's impossible to reach my goal. But then I encountered, that Intel has the Quick Assist Technoloy (QAT) integrated in some of their products (ie. Atom C3xx8). This QAT can be used with OpenSSL as a hardware accelerator for encryption. There also exist dedicated PCIe cards with QAT (ie. Netgate CPIC-8955). Searching the Internet, I couldn't find any information if QAT would be helpful with Tor. But Tor uses the OpenSSL library and this can use the QAT acceleration. Is there anyone who has tried this und can share his expirience? Thanks in advance Andreas ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Does Tor work with Intel QAT acceleration
Hello Kevin Thanks a lot for your response. 1) Regarding the speedtest, my firewall is limiting the speed to around 6.5Gbit/s. It's a fanless device and not capable to let me use the full 10Gbit/s. I host my hardware in my living room and can't install more powerfull, beacuse it would be too noisy and too big... My wife and kids will kill me :-) 2) For the NIC currently in use: it's an Intel I219-LM (rev 10). Maybe the are better models around. But I don't believe, they would lower the CPU usage by magnitude(s). But I let me educate if I'm wrong. 3) The CPU in use has the AES-NI flag set in "/proc/cpuinfo". So a litte acceleration is already in use. In the old days when using pfSense on a PC Engines Alix, I was using a mini PCI crypto accelerator card. And it could double or tripple the OpenVPN speed. So it seemed to me, that QAT could do the same for Tor. Andreas On Monday, April 11, 2022 15:58 CEST, Thoughts wrote: Two suggestions: 1) Run speedtest (https://www.speedtest.net) from behind your firewall and verify your actual bandwidth (or at least get a good approximation ). 2) Check the brand of NIC in your current machine. Intel NICs are reportedly much more efficient than RealTek for handling large number of packets - which is why they are recommended for most firewall machines. Suspect that logic would apply for a Tor Relay as well. Suspect you also want a CPU with AES-NI support. Check the specs on the web, AES-NI should be called out. "cat /proc/cpuinfo | grep aes" will also tell you if your running some flavor of linux. Kevin ps. Dig around on the web for firewall hardware recommendations. I know I've seen some tables on throughput for pfsense, shouldn't be too hard to find and might throw some light on the situation. pps. Very jealous of your connectivity! On 4/10/2022 2:32 PM, Andreas Bollhalder wrote: > Hi all > > I have my first Tor relay up und running. It's currently installed on > a little desktop computer with an Intel i5 9500T CPU. My Internet > connection is 10Gb/s symetric. From this bandwidth, I would be able to > spend a good part for supporting the Tor network. > > With that little machine, it seems that it would max out at somewhere > at ~30 MBytes/s. For my definitive Tor relay hardware, I'm currently > researching some options, which would be capable of handling Tor > traffic at the rate of 200 to 300MBytes. Even it would be used > nowadays, but who knows whats coming in the future and I hope this > relay would last 5 years ore so. > > It looks to me, that with a normal CPU, it's impossible to reach my > goal. But then I encountered, that Intel has the Quick Assist > Technoloy (QAT) integrated in some of their products (ie. Atom C3xx8). > This QAT can be used with OpenSSL as a hardware accelerator for > encryption. There also exist dedicated PCIe cards with QAT (ie. > Netgate CPIC-8955). > > Searching the Internet, I couldn't find any information if QAT would > be helpful with Tor. But Tor uses the OpenSSL library and this can use > the QAT acceleration. Is there anyone who has tried this und can share > his expirience? > > Thanks in advance > Andreas > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Does Tor work with Intel QAT acceleration
Hello Alex Thank you for your nice hint ot QAT_Engine. Yes, in theory it really seems to be possible. Looking at the Github repo of the QAT_Engine, it looks like there are still some issues with OpenSSL 3.0: Support for QAT HW ECX, QAT SW ECX, QAT HW PRF and QAT HW HKDF is disabled when built against OpenSSL 3.0 due to known issues instead it uses non-accelerated implementation from OpenSSL.I'm on Ubuntu 20.04, so I should be still using OpenSSL 1.x. There are plans for switching to OpenSSL 3.0 in Ubuntu 22.04. We'll see... So, one really has to test and I need to think about it. Wouldn't be a cheep test, but if this platform can give me a medium power system (~50W) and great speed, then it's definitively what I'm looking for. Otherwise I would prefer a Ryzen like the 5750GE. Andreas On Tuesday, April 12, 2022 03:42 CEST, Alex Xu wrote: Excerpts from Andreas Bollhalder's message of April 10, 2022 3:32 pm: > > Hi all > > I have my first Tor relay up und running. It's currently installed on a > little desktop computer with an Intel i5 9500T CPU. My Internet connection is > 10Gb/s symetric. From this bandwidth, I would be able to spend a good part > for supporting the Tor network. > > With that little machine, it seems that it would max out at somewhere at ~30 > MBytes/s. For my definitive Tor relay hardware, I'm currently researching > some options, which would be capable of handling Tor traffic at the rate of > 200 to 300MBytes. Even it would be used nowadays, but who knows whats coming > in the future and I hope this relay would last 5 years ore so. > > It looks to me, that with a normal CPU, it's impossible to reach my goal. But > then I encountered, that Intel has the Quick Assist Technoloy (QAT) > integrated in some of their products (ie. Atom C3xx8). This QAT can be used > with OpenSSL as a hardware accelerator for encryption. There also exist > dedicated PCIe cards with QAT (ie. Netgate CPIC-8955). > > Searching the Internet, I couldn't find any information if QAT would be > helpful with Tor. But Tor uses the OpenSSL library and this can use the QAT > acceleration. Is there anyone who has tried this und can share his expirience? > > Thanks in advance > Andreas > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > In theory, you should be able to enable QAT with "HardwareAccel 1" on OpenSSL 1.x after installing https://github.com/intel/QAT_Engine. I'm not sure about the process for OpenSSL 3.0; I believe it involves editing OPENSSLDIR/openssl.cnf. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
