[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: tor provided me first warning of corrupted ISP name servers
On Sun, 24 Aug 2008 19:08:57 +0200 Sven Anderson <sven@xxxxxxxxxxx>
wrote:
>Am 24.08.2008 um 17:47 schrieb Scott Bennett:
>
>> Yesterday my tor server logged a message advising me of name =20
>> server
>> problem at the Comcast name servers whose addresses are given via =20
>> DHCP to
>> my computer upon connection to the Comcast network:
>>
>> Aug 23 17:11:32.227 [notice] Your DNS provider gave an answer for =20
>> "y75smsh5mk7ggb.test", which is not supposed to exist. Apparently =20
>> they are hijacking DNS failures. Trying to correct for this. We've =20=
>
>> noticed 1 possibly bad addresses so far.
>
>Are these tests done by the tor software? I think this tests are not =20
Yes, those messages were issued by tor. AFAIK, tor uses libresolv
for such queries. The routines in libresolv look for nameserver statements
in resolv.conf to contact, which in this case bear the addresses of the two
corrupted Comcast name servers.
>valid, since services like OpenDNS.com reply _every_ name with an =20
>address:
>
Well, that's what the two Comcast name servers in question appear
to be doing.
[sample query output deleted --SJB]
>
>This is due to the fact, that they want to redirect typos to the =20
>correct addresses. If you want, they even do stuff like ad blocking, =20
A really weak excuse for corrupting a host+domainname, IMO.
>phishing protection and similar. That would also explain redirects of =20=
>
>known addresses like google.com.
>
>I guess OpenDNS.com has become quite popular, since Dan Kaminsky =20
>himself proposed to use it, if you have no chance to fix your DNS =20
>against the recently published security hole. So if your provider =20
Oh? What is this new hole? I haven't heard much lately about named(8)
or resolver routines in terms of current problems with them.
>forwards to OpenDNS for security/financial reasons, you will see such =20=
>
>behaviour.
>
>You can check if your DNS is safe on DK's blog (in the sidebar): =
>http://www.doxpara.com/
>
>Can I switch off these tests in tor?
>
Why would you do that? Do you want your server to get labelled as
a BadExit?
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at cs.niu.edu *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************