[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: transparent forced dns-'proxy' on Exit-Node - is it ok?

> "Alexander Janssen" wrote:
> Hi,
> On 1/9/07, herfel [...] wrote:
> > [... redirecting DNS-traffic to TOR via iptables ...]
> have a look at trans-proxy-tor and dns-proxy-tor, both available from
> http://p56soo2ibjkx23xo.onion/ . I haven't looked into it yet, your
> mileage may vary.

Where did you get that quote from? I don't think I wrote that, I certainly didn't mean that. Sorry for the confusion if my question was unclear.

This is about a Tor-Server that's currently running with reject */*. I could accept port 53 (dns), but only if it was ok to force-redirect everything to my own dns-server. (Or simplified: I do not want people to send arbritrary tcp-traffic out of my port 53; but I would be ok with answering regular old DNS-queries.) For the large majority of users that wouldn't be a problem. However certain people might be annoyed or [theoretically] harmed if they are doing very specific things (see my original post), when they think they are talking to a specific DNS server but actually are not. Or in case they want to use port 53 for something else.

So I am interested if there is a certain "ethical" policy to follow when running a tor-node that says "never touch traffic, even if it's with good intent" or "never say you accept exit-traffic on a port, unless you are willing to pass through all traffic on that port without modification". And if there is no such policy/ethical-code, I'd be interested in hearing opinions whether such behaviour would be considered good or bad.

> Drop us a line if it's working, I was thinking about using that for my
> public hotspot. It's next to impossible to run an open Wifi-network in
> Germany without beeing frightened to get sued because of
> copyright-violations or something...

I haven't tried that specific script, but I am using a similar setup with openvpn elsewhere. It's certainly doable and not terribly complex.

> "Ringo Kamens" wrote:
> I don't know the technicals of DNS but it sounds like a great idea to
> me. One of the major problems tor faces (IMHO) is DNS resolution which
> isn't perfect.

I don't which specific kinds of problems you refer to, but technically there are no hurdles to what I want to do. If in fact there is bottleneck in exit-nodes that handle dns-resolution, then my approach may be interesting to other middleman nodes that have local dns-servers, or dns-caches and help increase that number. But like I said, I have no idea if that is actually a real problem. (And the above question remains whether it would be considered ok).


Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! 
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer