[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: tor with OpenDNS as default DNS, using Firefox+FoxyProxy

     On Sun, 12 Apr 2009 09:05:07 -0700 (PDT) Tripple Moon
<tripple.moon@xxxxxxxxx> wrote:
>--- On Mon, 4/6/09, Scott Bennett <bennett@xxxxxxxxxx> wrote:
>> >>3) Same as (2) but this time i used the follwing
>> config options in torrc:
>> >>   'ServerDNSResolvConfFile C:\Program
>> Files\Tor\resolv.conf' and
>> 'ServerDNSDetectHijacking 0'
>> >>   With the OpenDNS servers, correctly, listed in
>> the 'resolv.conf' file.
>> >
>> >     You are running tor as a relay, as well as as a
>> client?  Your 3) affects
>> >only relay operations, of course, not client
>> operations.  And, AFAIK, the only
>> >relay operations affected are exit services, so unless
>> you're running tor as
>> >an exit relay, the stuff you did in 3) should
>> effectively change nothing.
>Yes indeed im running tor as both relay and client.


>When i set my client to not resolve DNS queries using the tor network i get the warning messages.
>(Which ofcourse are as expected)

     I think you may be confusing various operations that occur in differing
situations.  Your *tor* client will always attempt to resolve destination names
to addresses via a tor exit reached via a tor circuit.  (Other client software
will, I presume, do whatever it is built and/or configured to do.)  When
attempting to resolve a host+domainname given on the Address line of a torrc
file, a tor *relay* will use the resolver library, which will in turn use the
methods specified in the resolv.conf file named in the ServerDNSResolvConfFile
line in torrc.  A tor *exit* relay will also use this latter method to resolve
host+domainnames and reverse lookups.
>> >
>> >>   My scenario-goal does _still_not_ work because
>> the DNS queries are still seemingly resolved by the tor-exit
>> point.
>> >>
>> >     Correct.
>> >
>> >>So uhmm....Anyone have any ideas how i can
>> accomplish my scenario-goal?
>> >>
>> >     You haven't mentioned your reason(s) for
>> wanting to do such a thing.
>> >I surmise that you do not intend to use tor for
>> anonymity but rather for some
>> >other end, such as tunneling through a firewall.  tor,
>> however, is designed
>> >with the aim of preserving anonymity, so it issues
>> those messages to let the
>> >user/operator know that some application *may* be
>> breaking anonymity.  If
>> >your aim is different from that of tor, you may just
>> have to put up with the
>> >messages.  Given that the messages are logged to a
>> file, if anywhere, is that
>> >a problem?  You don't *have* to look at them, after
>> all.
>My reason(s) for this scenario is so that:
>1) I am able to use custom DNS-Servers for both my client and others that use my exit point, without the warning messages.

     What precisely do you mean by "custom DNS-Servers"?

>2) My, the operators, custom DNS-Servers can speedup _and_ aid in anonymity by blocking/re-directing certain domain names to other IP's.
>Which will, in the case of OpenDNS, return a small HTML with a message telling its blocked.

     If you do this, while simultaneously disabling the detection of name
service hijacking, your exit relay is subject to being given a "BadExit"
flag by the directory authorities.  OTOH, if you leave the hijacking detection
enabled, then tor will automatically update its descriptor at the authorities
to show that it has stopped offering exit service.
>Preventing the access to specific domains will, IMHO, improve anonymity for both the relay operator and the client using it as exit point.

     Preventing access to destinations is only appropriately done via proper
specification of your restrictions in ExitPolicy lines in torrc.

>I came-up with this scenario because i wanted to speedup the user experience _and_ kill the webs tracking behaviors as much as i can.

     Faking the address resolutions is simply a characteristic of a bad exit
relay.  Faking the address resolution does not alter the tracking abilities
of web sites in the slightest.
>So i admit i understand that for my scenario to work without the warning messages tor needs an extra config option to allow IP-only requests from custom listed IP's in its torrc file.
>(fe. localhost/ for the local client)

     We definitely do *not* need the sort of corruption of service that you
wish to employ.  Please disabuse yourself of such notions.
>I understand that one can use Privoxy for even more advanced filtering, but a simple DNS-based filtering system is more than enough for most of the web-tracking systems IMHO.

     I can't make sense out of that at all.

>Besides this approach will even enable tor to utilize bind+rbl :)
>It's just IMHO the next step towards _more_ anonymity...

>Oh and about the message and me not needing to look at them:
>They are logged to stdout and presented in the log-window of vidalia.
>The rest of the messages are still important enough to be seen by the operator.
     They are legitimate warnings in most cases and especially so in what you
appear to be doing.  For an application that uses predetermined IP addresses,
then the messages are indeed superfluous, but they are, after all, just
warning messages, not errors.

                                  Scott Bennett, Comm. ASMELG, CFIAG
* Internet:       bennett at cs.niu.edu                              *
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *