[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: transparent forced dns-'proxy' on Exit-Node - is it ok?

To: or-talk@xxxxxxxxxxxxx, or-talk@xxxxxxxxxxxxx
Subject: Re: transparent forced dns-'proxy' on Exit-Node - is it ok?
From: "Gisela Herfel" <herfel@xxxxxxx>
Date: Tue, 09 Jan 2007 21:43:06 +0100
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Tue, 09 Jan 2007 15:43:25 -0500
In-reply-to: <bb1289090701091050m59fa8405o2e7f09f435fc966b@mail.gmail.com>
References: <20070109120547.110960@gmx.net> <bb1289090701091050m59fa8405o2e7f09f435fc966b@mail.gmail.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

> "Alexander Janssen" wrote:
> Hi,
> 
> On 1/9/07, herfel [...] wrote:
> > [... redirecting DNS-traffic to TOR via iptables ...]
> 
> have a look at trans-proxy-tor and dns-proxy-tor, both available from
> http://p56soo2ibjkx23xo.onion/ . I haven't looked into it yet, your
> mileage may vary.

Where did you get that quote from? I don't think I wrote that, I certainly didn't mean that. Sorry for the confusion if my question was unclear.

This is about a Tor-Server that's currently running with reject */*. I could accept port 53 (dns), but only if it was ok to force-redirect everything to my own dns-server. (Or simplified: I do not want people to send arbritrary tcp-traffic out of my port 53; but I would be ok with answering regular old DNS-queries.) For the large majority of users that wouldn't be a problem. However certain people might be annoyed or [theoretically] harmed if they are doing very specific things (see my original post), when they think they are talking to a specific DNS server but actually are not. Or in case they want to use port 53 for something else.

So I am interested if there is a certain "ethical" policy to follow when running a tor-node that says "never touch traffic, even if it's with good intent" or "never say you accept exit-traffic on a port, unless you are willing to pass through all traffic on that port without modification". And if there is no such policy/ethical-code, I'd be interested in hearing opinions whether such behaviour would be considered good or bad.

> Drop us a line if it's working, I was thinking about using that for my
> public hotspot. It's next to impossible to run an open Wifi-network in
> Germany without beeing frightened to get sued because of
> copyright-violations or something...

I haven't tried that specific script, but I am using a similar setup with openvpn elsewhere. It's certainly doable and not terribly complex.

> "Ringo Kamens" wrote:
> I don't know the technicals of DNS but it sounds like a great idea to
> me. One of the major problems tor faces (IMHO) is DNS resolution which
> isn't perfect.

I don't which specific kinds of problems you refer to, but technically there are no hurdles to what I want to do. If in fact there is bottleneck in exit-nodes that handle dns-resolution, then my approach may be interesting to other middleman nodes that have local dns-servers, or dns-caches and help increase that number. But like I said, I have no idea if that is actually a real problem. (And the above question remains whether it would be considered ok).

Regards

Herfel
-- 
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! 
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer

Follow-Ups:
- Re: transparent forced dns-'proxy' on Exit-Node - is it ok?
  - From: Alexander Janssen

References:
- transparent forced dns-'proxy' on Exit-Node - is it ok?
  - From: herfel
- Re: transparent forced dns-'proxy' on Exit-Node - is it ok?
  - From: Alexander Janssen

Prev by Author: Re: Question for Job and others / was: Re: Tor and Thunderbird: Outgoing Email Unsafe?
Next by Author: Re: transparent forced dns-'proxy' on Exit-Node - is it ok?
Previous by thread: Re: transparent forced dns-'proxy' on Exit-Node - is it ok?
Next by thread: Re: transparent forced dns-'proxy' on Exit-Node - is it ok?
Index(es):
- Author
- Thread