Ben Tasker's Blog

Tuning Pi-Hole to cope with huge query rates

As some may already know, I offer a small public encrypted DNS service at, offering DNS resolution via DNS-over-HTTPS (DoH) and DNS-over-TCP (DoT).

The setup I use is an evolution of that one I described when I published Building and Running your own DNS-over-HTTPS Server 18 months ago, providing ad and phishing blocking as well as encrypted transport.

It was never intended that my DNS service take over the world, in fact, on the homepage it says

A small ad and phishing blocking DNS privacy resolver supporting D-o-H and D-o-T .... This service is, at best, a small hobby project to ensure that there are still some privacy-sensitive DNS services out there.

Not all nodes in my edge even run the DNS service.

The service has always seen some use - much more than I really expected - with queries coming in from all over the globe, and query rates are pretty respectable as a result.

However, recently, query rates changed, and there was such a seismic shift in my daily graphs that the previous "routine" usage started to look like 0:

Daily query rater graph

I'm omitting figures and dates out of an abundance of caution, but the lines represent usage across different days (the vertical grey lines each denoting a day)

You can see that usage increased by several orders of magnitude (the turquoise line is the number of advertising domains blocked, so usually increases roughly proportionately).

The change in traffic rates triggered a few things

  • Alarms/notifications from my monitoring
  • Notifications from some of my connectivity providers to say they were mitigating an apparent DoS

This post is about the (very few, actually) minor things I found I needed to do to ensure Pi-Hole could keep up with the new load.

Read more ...

Onion V3 Address is live

My site has supported using V3 Onions at the transport layer for quite some time, having implemented Alt-Svc headers to allow Tor to be used opportunistically back in October 2018.

What I hadn't got around to, until now, was actually support direct access via a V3 hostname. I'd put a reasonable amount of effort into generating a personalised V2 address, and making sure it was documented/well used.

However, V2 Onions have been deprecated, and will start generating warnings in a month. Total discontinuation of V2 support is scheduled for July 15th 2021.

So, I figured I should get V3 support up and running, and have today launched the service.


Read more ...

Onion Location Added to Site has been multihomed on Tor and the WWW for over 5 years now.

Over that time, things have changed slightly - at first, although the site was multi-homed, the means of discovery really was limited to noticing the "Browse via Tor" link in the privacy bar on the right hand side of your screen (unless you're on a mobile device...).

When Tor Browser pulled in Firefox's changes to implement support for RFC 7838 Alt-Svc headers, I added support for that too. Since that change, quite a number of Tor Browser Bundle users have connected to me via Onion Services without even knowing they had that additional protection (and were no longer using exit bandwidth).

The real benefit of the Alt-Svc method, other than it being transparent, is that your browser will receive and validate the SSL cert for my site - the user will know they're hitting the correct endpoint, rather than some imposter wrapper site.

Which brings us to today.

Tor have released a new version - 9.5 - of Tor Browser bundle which implements new functionality: Onion Location

Read more ...

A comparative analysis of search terms used on and it's Onion

My site has had search pretty much since it's very inception. However, it is used relatively rarely - most visitors arrive at my site via a search engine, view whatever article they clicked on, perhaps follow related internal links, but otherwise don't feel the need to do manual searches (analysis in the past showed that use of the search function dropped dramatically when article tags were introduced).

But, search does get used. I originally thought it'd be interesting to look at whether searches were being placed for things I could (but don't currently) provide.

Search terms analysis is interesting/beneficial, because they represent things that users are actively looking for. Page views might be accidental (users clicked your result in Google but the result wasn't what they needed), but search terms indicate exactly what they're trying to get you to provide.

As an aside to that though, I thought it be far more interesting to look at what category search terms fall under, and how the distribution across those categories varies depending on whether the search was placed against the Tor onion, or the clearnet site.


This post details some of those findings, some of which were fairly unexpected (all images are clicky)

If you've unexpectedly found this in my site results, then congratulations, you've probably searched a surprising enough term that I included in this post.


Read more ...

Cynet 360 Uses Insecure Control Channels

For reasons I won't go into here, recently I was taking a quick look over the "Cynet 360" agent, essentialy an endpoint protection mechanism used as part of Cynet's "Autonomous Breach protection Platform".

Cynet 360 bills itself as "a comprehensive advanced threat detection & response cybersecurity solution for for [sic] today's multi-faceted cyber battlefield". 

Which is all well and good, but what I was interested in was whether it could potentially weaken the security posture of whatever system it was installed on.

I'm a Linux bod, so the only bit I was interested in, or looked at, was the Linux server installer.

Read more ...