discuss deployment of oonib's dns_helper service
OONI Backend (oonib) provides a dns_helper service that responds to queries on port 53 udp/tcp.
Unfortunately, the service is abused; whenever the helper is running it is being bombarded with queries from (presumably spoofed) addresses. This is a known problem with running an open recursive resolver. How can we mitigate the abuse of this service?
One possibility is to launch the dns_helper service on demand for specific OONI tests. A problem with this approach is that a client cannot use the test helper unless it also creates a report with the associated collector (which currently also requires a working Tor).
Another possibility is to implement rate-limiting, which would reduce the amount of abuse. A problem with this approach is that ooni-probe clients may see an increase in resolution failures. We don't currently dynamically adjust ooni-probe's request rate, though this is a desired feature.
And another item to consider is how DNS resolution is performed on oonib. Presently, it forwards requests to an upstream resolver (by default, google public DNS), which might cause problems given the volume of DNS requests seen. We should consider deploying our own DNS resolver locally or near each collector.