[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: tor provided me first warning of corrupted ISP name servers
Quoth Sven Anderson <sven@xxxxxxxxxxx>, on 2008-08-24 19:08:57 +0200:
> Are these tests done by the tor software? I think this tests are not
> valid, since services like OpenDNS.com reply _every_ name with an
> address:
DNS semantics say that when a name does not exist, you receive an
NXDOMAIN response. Returning an arbitrary A record instead breaks the
semantics of the Internet. You may consider this valid for your own
network, and that is okay, but inflicting changes to Internet
semantics on Tor exit traffic is a classic bad exit scenario.
Supposedly it is possible to submit a control request to OpenDNS to
turn this behavior off for certain source addresses; I haven't
confirmed this first-hand. If this is true, I imagine that Dan
Kaminsky &c. would also tell people to issue this request if they
started forwarding to OpenDNS for other unrelated people in a
non-temporary fashion.
> Can I switch off these tests in tor?
Short answer: don't.
---> Drake Wilson