[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: tor provided me first warning of corrupted ISP name servers



Am 24.08.2008 um 20:26 schrieb Drake Wilson:

Quoth Sven Anderson <sven@xxxxxxxxxxx>, on 2008-08-24 19:08:57 +0200:
Are these tests done by the tor software? I think this tests are not
valid, since services like OpenDNS.com reply _every_ name with an
address:

DNS semantics say that when a name does not exist, you receive an
NXDOMAIN response.  Returning an arbitrary A record instead breaks the
semantics of the Internet.  You may consider this valid for your own
network, and that is okay, but inflicting changes to Internet
semantics on Tor exit traffic is a classic bad exit scenario.

This is true for authoritative DNS servers. OpenDNS is not part of it, but a pure resolving service, so they can do what they want, and users can choose to use it ore not. But I see your point that there is a conflict if a Tor exit node is using such a service. But Tor node operators might be forced to use it, so I suggest to look at this with less dogma and more reason, trading off the pros against the cons.

Supposedly it is possible to submit a control request to OpenDNS to
turn this behavior off for certain source addresses; I haven't
confirmed this first-hand.  If this is true, I imagine that Dan
Kaminsky &c. would also tell people to issue this request if they
started forwarding to OpenDNS for other unrelated people in a
non-temporary fashion.

Kaminsky didn't mention it, at least not in his blog. He wrote for example on July 27: "Patch, and verify the patch is working (NATs continue to be a headache). If it’s not working, forward to something that is. OpenDNS has capacity to spare."
(http://www.doxpara.com/?p=1194)
You can switch off a lot of things, and I guess then they will also not answer the non-existing domains. However, that only works for static IP addresses (which is true for most Tor nodes I assume).

Can I switch off these tests in tor?

Short answer: don't.

Well, if one is forced to use such a service, because his own DNS servers are vulnerable against the cache poisoning, he wouldn't be able to run a Tor node then.


Cheers,

Sven

--
http://sven.anderson.de    "Believe those who are seeking the truth.
tel:    +49-551-9969285     Doubt those who find it."
mobile: +49-179-4939223                                 (André Gide)