Hi all, Haven't posted in a while here, it's good to see that this list is still going strong :)
I hope that some Tor Project employee can reply on list item 2 below. I've been co-operating an exit relay for some four years now. My usual response to abuse notifications is adding a reject rule to my ExitPolicy that blocks outgoing traffic to the attacked IP address/subnet. I do this mostly to prevent overhead for the volunteer abuse coordinators that operate the network that my exit resides in, but also to "do something" (not much, but at least something) for the attacked network. Yesterday however, I received a notification from my government's proactive security alerting service, notifying me of a botnet using my exit relay for communication. Now, I both like the Tor Project and privacy in general, and at the same time dislike botnets. And this made me think: what if I configure my DNS resolution to block queries for known botnet C&C domains? It would make it a bit harder to abuse the Tor network for botnet communications, and save a bit of bandwidth for users that have a good faith need for anonimity (you know, these users [1]). [1] https://2019.www.torproject.org/about/torusers.html.en Now, I'm aware there are a couple of downsides to this: 1. Starting to block things could be considered a slippery slope. First it's botnets, then it's piracy, then whatever else the government dislikes. I'm not too worried about this as long as I can choose what I block myself, and I already counter BitTorrent usage by using the well-known ReducedExitPolicy. 2. This old GitLab wiki page [2] lists a relay that is using a censored DNS provider as an example of a bad relay. It however doesn't provide a reason for this. If the DNS provider *only* blocks requests for known C&C domains, would that be okay? [2] https://gitlab.torproject.org/legacy/trac/-/wikis/doc/ReportingBadRelays#what-is-a-bad-relay 3. Obviously, the Unbound blocklist source or censoring DNS provider that would be used would gain some control over traffic on the Tor network. I'd say this is a tradeoff. If *only* C&C domains are blocked, I would be okay with this. 4. Potential legal issues. I know that in some jurisdictions (the U.S. I believe is a good example) setting up selective filtering makes the filter operator at least somewhat responsible for the traffic that passes through the filter. I'm not too worried about this at the moment. Both my exit relay and I are situated in the Netherlands. What do you guys think? Do we accept DNS filtering for blocking botnet traffic, or do we all cry censorship over this? Cheers, Imre _______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-le...@lists.torproject.org
