[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Exit node blocking site?

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Exit node blocking site?
From: "Joseph Lorenzo Hall" <joehall@xxxxxxxxx>
Date: Sun, 19 Feb 2006 14:08:42 -0800
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Sun, 19 Feb 2006 17:08:47 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=eL7LpfHbHQRBKINFfulql9kI/KyxkayRcAc2s42TQVf0jB8sVQPJvmyDQzlKKS9HCaha4pYGc2WbNVHYnI4HzTEIHFp7tTlF3A9PVASJCdmekU5to73jkgpwDLWrnL7KIhMlL3HwHsKddDdiFAybLDuFhzK8+eTpnKAfTul3feQ=
In-reply-to: <20060219214441.GQ15157@localhost.localdomain>
References: <43F6B51C.404@hpeters.net> <43F6CDEA.5060501@hpeters.net> <004201c634bf$3506e500$0a0aa8c0@none> <43F8E301.8090609@csuohio.edu> <20060219214441.GQ15157@localhost.localdomain>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

On 2/19/06, Roger Dingledine <arma@xxxxxxx> wrote:
> On Sun, Feb 19, 2006 at 04:28:33PM -0500, Michael Holstein wrote:
> > I actually block access to groups.google.com and groups.l.google.com by
> > putting them as 127.0.0.2 in /etc/hosts -- but I noticed that TOR is
> > smart enough to notice that the address will resolve to an IP prohibited
> > by the exitpolicy, and not even try.
>
> Right now you're degrading service for other Tor users that try to go to
> groups.google.com, because you trick them into thinking that it resolves
> to something else. Also (and you'll perhaps be more motivated by this), if
> the user resolves the address into an IP first, you're not blocking that.
>
> The better answer is to change your exit policy to reflect the addresses
> and ports that aren't reachable from your server. Then clients will
> learn it from your descriptor and not even try to exit from you.

This can be done by essentially listing the IP addresses for
groups.google.com in the torrc exit policy section, right?  Would
using dig on groups.google.com be sufficient to block the IP addresses
associated with that domain name?  I guess what I'm wondering is this:
is there a way to learn all the IP addresses associated with a domain
name using a tool like dig? Or is it sufficiently more complicated
than that?

--
Joseph Lorenzo Hall
<http://josephhall.org/>

Follow-Ups:
- Re: Exit node blocking site?
  - From: glymr darkmoon

References:
- BandwidthRate does this actually work ?
  - From: Harley Peters
- Re: BandwidthRate does this actually work ?
  - From: Harley Peters
- Exit node blocking site?
  - From: M
- Re: Exit node blocking site?
  - From: Michael Holstein
- Re: Exit node blocking site?
  - From: Roger Dingledine

Prev by Author: Re: Running a Tor exit node on an academic network?
Next by Author: Re: 0.1.0.17 questions
Previous by thread: Re: Exit node blocking site?
Next by thread: Re: Exit node blocking site?
Index(es):
- Author
- Thread