Re: BadExit flag still needed for PrivacyNow...

[Scott Bennett <bennett@xxxxxxxxxx>]

     On Sun, 18 Apr 2010 09:54:31 -0500 Bill Weiss <houdini+tor@xxxxxxxxxxxx>
wrote:
>Scott Bennett(bennett@xxxxxxxxxx)@Sun, Apr 18, 2010 at 03:18:47AM -0500:
>>      On Sat, 17 Apr 2010 21:54:16 -0400 Andrew Lewman <andrew@xxxxxxxxxxxxxx>
>> wrote:
>> >I may be misunderstanding the "using opendns with a misconfigured
>> >account" statement.
>> >
>>      Probably not.  The OpenDNS servers, AFAIK, require a free account 
>> be established before they will answer queries about domains other than
>> OpenDNS's own domain(s).  That can be accomplished via their web site,
>> which also allows the account holder to select various options, one of
>> which determines whether the account holder wishes to have queries about
>> certain domains be hijacked by OpenDNS in accordance with some list
>> OpenDNS maintains.  OpenDNS defaults to the censorship option, so an
>> account holder has to make the effort of turning the censorship off.
>> (Apparently, A RR queries for the ghcc.msfc.nasa.gov. domain are hijacked
>> in that way.)  The account holder can turn off all hijacking, supposedly,
>> to get the same response they would get from a fully honest name server.
>> tor exit operators are obligated to use name servers that give true
>> answers, so an exit that is querying an OpenDNS name server and that has
>> the highjacking "feature"--again, a Micro$lop usage of the word--enabled
>> is therefore a BadExit.
>
>I'm not weighing in on the BadExit issue, just the technical details.
>Anyone can use the OpenDNS resolvers without having an account with them.
>You just don't get to toggle any of the options without doing so.  I think

     Oh.  Okay.  Thanks for the correction.

>that, without an account, you get everything under "OpenDNS Basic" on
>their website[1] ("Web content filtering", "Proxy/anonymizer blocking",
>"Phishing protection" and "Botnet protection" being the ones we probably
>care about here).

     Looks about right.
>
>Scott: if the current owner doesn't have an account set up, _you_ could go
>to the OpenDNS page (via Tor so it come from that IP) and fix their
>settings :)
>
>[1] http://www.opendns.com/start/

     Tsk, tsk.  Although I suspect that that would not actually violate the
criminal statute about unauthorized access, it would nevertheless be quite
unethical.  Consider the possibility that, laying tor out of view for a
moment, there are other uses being made of that computer and/or network for
which such blocking might be desired by the owner, e.g., content blocking
for a household full of children with several computers available to them
on their home network.  Granted, an exit should *not* be run in such an
environment, but it is not anyone's business to muck with the configuration
of someone else's computer or network.
>
>>      Even though I no longer run an exit, I had been truly fed up with
>> Comcast's hijacking name servers for a long time, so when Google started
>> offering free and open access to honest, though logging, name servers
>> at 8.8.4.4 and 8.8.8.8, I switched to them immediately.  I'm not too
>> worried about the logging, because very few name server queries leave
>> my machine anyway, mainly thanks to tor.  And if I were running an exit,
>> it still wouldn't bother me much because nearly all queries leaving my
>> machine would have nothing to do with anything I was doing at the time.
>>      I've procrastinated so far about setting up a small name server here,
>> basically for cacheing, and I've gotten away with it, I suspect, largely
>> because I discovered nscd(8) on my system and configured it for use.
>> nscd can be configured to cache results in caches for hosts, passwd,
>> group, services, protocols, and RPCs.  Additional, system-particular
>> caches can also be defined if one has the need to do so.
>
>Assuming your ISP doesn't damage your queries for you or redirect outgoing
>port 53 activity to their servers, setting up Bind as a local resolver is
>super easy.  I'd be glad to help you out with a config if you'd like.
>
     Thanks, but I used to run the primary for the local university long
ago, as well as a few unofficial secondaries around the campus.  I've just
been lazy about setting one up because I haven't really needed one.  And,
as I wrote before, nscd has been a blessing, not only for A RR queries,
but for several other data sets as well.  I appreciate the offer, though.
FWIW, most of the situations in which my current setup fails involve being
disconnected from the ISP due to some outage or modem screwup, so having
a name server running wouldn't really help anyway.
     I just checked again, and as of 8:49 a.m. CDT, there was still no
BadExit flag assigned to PrivacyNow. :-(


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/