[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Domain name based policies (was: Call for discussion: turning funding into more exit relays)

To: "tor-relays@xxxxxxxxxxxxxxxxxxxx" <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-relays] Domain name based policies (was: Call for discussion: turning funding into more exit relays)
From: Administrator <afink@xxxxxxxxxxxx>
Date: Wed, 1 Aug 2012 10:36:01 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 01 Aug 2012 04:35:16 -0400
In-reply-to: <CA+qp_4oZH4WhxDf+e6tJUKk-ZLB4nEy9qzhnXiXGOeZqvZNr=w@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <CA+qp_4oZH4WhxDf+e6tJUKk-ZLB4nEy9qzhnXiXGOeZqvZNr=w@xxxxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx



Sent from my iPhone 5

Am 01.08.2012 um 10:30 schrieb "Nicolas Braud-Santoni" <nicolas@xxxxxxxxxxxxxxxx>:

> 2012/8/1 Roger Dingledine <arma@xxxxxxx>:
>> On Tue, Jul 31, 2012 at 11:21:01AM +0100, mick wrote:
>>> Question for tor developers. How hard would it be to change the logic
>>> (and syntax) of exit policy in tor to allow domain based formulations
>>> like:
>>> 
>>> reject *.gmail.com
>>> reject *aol.com
>> 
>> Very hard.
>> 
>> https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#ExitpoliciesshouldbeabletoblockwebsitesnotjustIPaddresses
> 
> Hi,
> 
> While I see how allowing wildcards and domains in policies would be
> more than challenging, wouldn't it be possible to :
> - resolve domain-names at Tor startup, and get all associated A and AAAA records
> - Repeat when record's TTL is reached.
> 

this wont work for shared hosts. You would block all websites on that server not only the domains you wanted. You can only do that with intercepting http like a proxy.

> Of course, it wouldn't work for sites that don't advertise all their IPs.
> 
> It would also require the Exit node's operator to run some DNS
> resolver (or trust an external one), but locally running unbound (for
> example) is quite simple.
> Moreover, the risk evoked in the FAQ is already present : if I poison
> an exit node's DNS resolver, wouldn't I be able to replace nytimes.com
> A record with some bogon, like 0.0.0.0 ?
> 
> Nicolas
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] Domain name based policies (was: Call for discussion: turning funding into more exit relays)
  - From: Nicolas Braud-Santoni

Prev by Author: Re: [tor-relays] How to protect yourself from network scanning
Next by Author: Re: [tor-relays] "Relay info kit" for Tor exits
Previous by thread: [tor-relays] Domain name based policies (was: Call for discussion: turning funding into more exit relays)
Next by thread: Re: [tor-relays] task-6329 / tor relays stats patch
Index(es):
- Author
- Thread