[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Open DNS

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Open DNS
From: Nick Mathewson <nickm@xxxxxxxxxxxxx>
Date: Mon, 23 Apr 2007 13:33:35 -0400
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Mon, 23 Apr 2007 13:33:55 -0400
In-reply-to: <200704231820.57368.xiando@xiando.com>
Mail-followup-to: Nick Mathewson <nickm@xxxxxxxxxxxxx>, or-talk@xxxxxxxxxxxxx
References: <462CAF42.2050905@gmail.com> <200704231820.57368.xiando@xiando.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.4.2.1i

On Mon, Apr 23, 2007 at 06:20:56PM +0200, xiando wrote:
 [...]
> Their nameservers are:
> 
> nameserver 208.67.222.222
> nameserver 208.67.220.220
> 
> At first blush their service may seem plausible. However, try them and visit 
> something like www.akljfdlkajdfasfd.com, which takes you to:
> http://guide.opendns.com/?url=www.akljfdlkajdfasfd.com
> 
> I'm sorry, but if I try a non-existing domain then I prefer to be informed 
> that the domain can not be found. OpenDNS will tell you "Sure, there's a 
> website called whateveryoutrytoresolve.com, here's the IP, and you should go 
> visit that site and view all these advertisements we've put up
> there".

Ha.  Actually, this is old news: If an exit node is running the Tor
0.1.2.x series, it can detect DNS hijacking of this kind, and
translate the IP addresses for the advertisement pages back into "no
such domain" responses.  From the ChangeLog for 0.1.2.2-alpha:

    - Workaround for name servers (like Earthlink's) that hijack
      failing DNS requests and replace the no-such-server answer with
      a "helpful" redirect to an advertising-driven search
      portal. Also work around DNS hijackers who "helpfully" decline
      to hijack known-invalid RFC2606 addresses. Config option
      "ServerDNSDetectHijacking 0" lets you turn it off.

From the svn logs:

  Instead of just checking known-invalid addresses for DNS hijacking,
  we now check randomly generated addresses, and if too many of them
  map to the same IP, we assume that IP is the destination of a DNS
  hijack attempt.

  A little bird tells me that some DNS hijackers think that declining
  to give an A record for RFC2606 addresses (like .invalid and
  .example) makes them more standards compliant.  Standardswise, this
  is like an illicit brothel making sure that nobody has pulled the
  tags off the mattresss, but that doesn't get us out of working
  around it.

The anonymity issues of having a large number of exit nodes send all
their DNS requests to the same 3rd party are somewhat troubling, but
no more so than having the same number of exit nodes using the same
ISP or backbone.

Of course, this is neither an endorsement of OpenDNS nor an
endorsement of their stupid and annoying DNS NEXIST hijacking.

yrs,
-- 
Nick Mathewson

Attachment: pgpmWmMo9ZrzY.pgp
Description: PGP signature

References:
- Open DNS
  - From: Jason Edwards
- Re: Open DNS
  - From: xiando

Prev by Author: Which node is this?
Next by Author: Another Method to Block Java Hijinks
Previous by thread: Re: Open DNS
Next by thread: Re: Open DNS
Index(es):
- Author
- Thread