****exit-ops**** - Exit Scanner, TorDNSEL and Tor Check Operations
# TODO Synopsis
While the three services described in this document could be implemented as discrete components,
they currently have tight coupling which means they must all be deployed on the same host.
## TODO Exit Scanner
## Exit Scanner
The exit scanner performs active measurement of Tor exit relays in order to determine the IP addresses that are used for exit connections.
The active measurement uses an exitmap module, which is wrapped in a script to produce output formatted as an [Exit List](<https://metrics.torproject.org/collector.html#type-tordnsel>).
...
...
@@ -16,46 +12,50 @@ The active measurement uses an exitmap module, which is wrapped in a script to p
The exit list results are consumed by CollecTor, [TorDNSEL](tordnsel) and [Tor Check](../check-ops/).
Exit lists and bulk exit lists are also consumed by third-party external applications at the following URLs:
-<https://check.torproject.org/exit-addresses> - Latest exit list
-<https://check.torproject.org/torbulkexitlist> - Latest bulk exit list
-<https://check.torproject.org/exit-addresses> - Latest exit list
-<https://check.torproject.org/torbulkexitlist> - Latest bulk exit list
Documentation questions:
Previous scan results are kept in the latest exit list for up to 48 hours since
they were last seen. Scans will run every 40 minutes, or continuously if scans
take longer than 40 minutes to complete.
- [ ] How long do we keep old measurements in the exit list?
- [ ] What are the timings for measurement runs?
- [ ] How many old exit lists do we keep around?
There is currently no process that will clean up old exit lists from the exit
list server.
## TODO TorDNSEL
## TorDNSEL
TorDNSEL is a DNS list service that behaves in a similar way to [Domain Name System-based Blackhole Lists](https://en.wikipedia.org/wiki/Domain_Name_System-based_Blackhole_List).
IP addresses will give positive results in the event that an address has been found to be used by an exit relay in a recent scan.
Documentation questions:
As with the exit lists, IP addresses will be removed after not being seen for
48 hours.
- [ ] For how long does an address give a positive result?
- [ ] Do we also include all IP addresses of exit flagged relays in the consensus?
A future update to this script may include information from the consensus, but
currently a postitive match must have been found from the exit scanner for an
IP address to be included.
## TODO Tor Check
## Tor Check
Tor Check is a website that can be used to determine if a browser is using the Tor network for queries.
It will also check the User-Agent to determine if a user is using Tor Browser.
It is accessed via HTTPS at <https://check.torproject.org/>.
Documentation questions:
There are also JSON APIs:
- [ ] Where is the JSON API?
-<https://check.torproject.org/api/ip> - Check IP and if it's a Tor IP
-<https://check.torproject.org/api/bulk> - Bulk exit list exporter
# DONE Contacts
# Contacts
The primary contact for this service is the Metrics Team <[metrics-team@lists.torproject.org](mailto:metrics-team@lists.torproject.org)>.
For urgent queries, contact **karsten**, **irl**, or **gaba** in .
For urgent queries, contact **karsten** or **gaba** in IRC.
# TODO Overview
# Overview
The underlying infrastructure for the exit scanner, TorDNSEL and Tor Check services is provided by the
Tor Sysadmin Team (TSA). All services run on one virtual machine with the hostname `check-01.torproject.org`.
## TODO Exit Scanner
## Exit Scanner
Documentation questions:
...
...
@@ -64,9 +64,7 @@ Documentation questions:
- [ ] What user is used?
<aid="orgdeab8dc"></a>
## TODO TorDNSEL
## TorDNSEL
Documentation questions:
...
...
@@ -219,8 +217,12 @@ The exit scanner service produces exit lists according to the [TorDNSEL exit lis
The exit scanner service does not support IPv6.
Serial numbers for the DNS zones are based on the date. This needs to be better
planned out before 2042, where we will see integer overflows on the serial
number.
<aid="orgc36e19c"></a>
Previous exit lists to merge are found using a glob that will break after 23:59
