Re: BadExit flag still needed for PrivacyNow...

[Bill Weiss <houdini+tor@xxxxxxxxxxxx>]

Scott Bennett(bennett@xxxxxxxxxx)@Sun, Apr 18, 2010 at 03:18:47AM -0500:
>      On Sat, 17 Apr 2010 21:54:16 -0400 Andrew Lewman <andrew@xxxxxxxxxxxxxx>
> wrote:
> >I may be misunderstanding the "using opendns with a misconfigured
> >account" statement.
> >
>      Probably not.  The OpenDNS servers, AFAIK, require a free account 
> be established before they will answer queries about domains other than
> OpenDNS's own domain(s).  That can be accomplished via their web site,
> which also allows the account holder to select various options, one of
> which determines whether the account holder wishes to have queries about
> certain domains be hijacked by OpenDNS in accordance with some list
> OpenDNS maintains.  OpenDNS defaults to the censorship option, so an
> account holder has to make the effort of turning the censorship off.
> (Apparently, A RR queries for the ghcc.msfc.nasa.gov. domain are hijacked
> in that way.)  The account holder can turn off all hijacking, supposedly,
> to get the same response they would get from a fully honest name server.
> tor exit operators are obligated to use name servers that give true
> answers, so an exit that is querying an OpenDNS name server and that has
> the highjacking "feature"--again, a Micro$lop usage of the word--enabled
> is therefore a BadExit.

I'm not weighing in on the BadExit issue, just the technical details.
Anyone can use the OpenDNS resolvers without having an account with them.
You just don't get to toggle any of the options without doing so.  I think
that, without an account, you get everything under "OpenDNS Basic" on
their website[1] ("Web content filtering", "Proxy/anonymizer blocking",
"Phishing protection" and "Botnet protection" being the ones we probably
care about here).

Scott: if the current owner doesn't have an account set up, _you_ could go
to the OpenDNS page (via Tor so it come from that IP) and fix their
settings :)

[1] http://www.opendns.com/start/

>      Even though I no longer run an exit, I had been truly fed up with
> Comcast's hijacking name servers for a long time, so when Google started
> offering free and open access to honest, though logging, name servers
> at 8.8.4.4 and 8.8.8.8, I switched to them immediately.  I'm not too
> worried about the logging, because very few name server queries leave
> my machine anyway, mainly thanks to tor.  And if I were running an exit,
> it still wouldn't bother me much because nearly all queries leaving my
> machine would have nothing to do with anything I was doing at the time.
>      I've procrastinated so far about setting up a small name server here,
> basically for cacheing, and I've gotten away with it, I suspect, largely
> because I discovered nscd(8) on my system and configured it for use.
> nscd can be configured to cache results in caches for hosts, passwd,
> group, services, protocols, and RPCs.  Additional, system-particular
> caches can also be defined if one has the need to do so.

Assuming your ISP doesn't damage your queries for you or redirect outgoing
port 53 activity to their servers, setting up Bind as a local resolver is
super easy.  I'd be glad to help you out with a config if you'd like.

-- 
Bill Weiss
 
The exit code is useful when you want to know if your child grew up and
had a good life or it got run over by a truck or something.
    -- Thu Nguyen, Operating Systems
        Rutgers University, New Brunswick, New Jersey

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/