[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: TOR on Academic networks (problem)



On Wed, 17 May 2006, Michael Holstein wrote:

> >You are hurting the Tor network more than you realize.  You are lying to
> >clients and clients cache that answer.  Don't do this.
> 
> I've tested this before, and since the /etc/hosts entry refers to an 
> address which is blocked by *all* TOR servers default exit policy, it 
> just says "requested exit node will deny your request".
> 
> Do they still cache the DNS answer?

The reject cell includes a the resolved IP address.  This answer is
cached.

> Would it be better to block them by allowing a (legitimate) DNS lookup, 
> and then null-routing the IP space involved?

No.

> Doing *nothing* is NOT an option here.

Add them to your exit policy.  If that turns out to be too long (more
than just a couple of lines), make your exit policy rejects broader,
even if that means rejecting *:80.

-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/