[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Exit node blocking site?
On 2/19/06, Roger Dingledine <arma@xxxxxxx> wrote:
> On Sun, Feb 19, 2006 at 04:28:33PM -0500, Michael Holstein wrote:
> > I actually block access to groups.google.com and groups.l.google.com by
> > putting them as 127.0.0.2 in /etc/hosts -- but I noticed that TOR is
> > smart enough to notice that the address will resolve to an IP prohibited
> > by the exitpolicy, and not even try.
>
> Right now you're degrading service for other Tor users that try to go to
> groups.google.com, because you trick them into thinking that it resolves
> to something else. Also (and you'll perhaps be more motivated by this), if
> the user resolves the address into an IP first, you're not blocking that.
>
> The better answer is to change your exit policy to reflect the addresses
> and ports that aren't reachable from your server. Then clients will
> learn it from your descriptor and not even try to exit from you.
This can be done by essentially listing the IP addresses for
groups.google.com in the torrc exit policy section, right? Would
using dig on groups.google.com be sufficient to block the IP addresses
associated with that domain name? I guess what I'm wondering is this:
is there a way to learn all the IP addresses associated with a domain
name using a tool like dig? Or is it sufficiently more complicated
than that?
--
Joseph Lorenzo Hall
<http://josephhall.org/>