transparent forced dns-'proxy' on Exit-Node - is it ok?
Gisela Herfel
herfel at gmx.net
Tue Jan 9 20:43:06 UTC 2007
> "Alexander Janssen" wrote:
> Hi,
>
> On 1/9/07, herfel [...] wrote:
> > [... redirecting DNS-traffic to TOR via iptables ...]
>
> have a look at trans-proxy-tor and dns-proxy-tor, both available from
> http://p56soo2ibjkx23xo.onion/ . I haven't looked into it yet, your
> mileage may vary.
Where did you get that quote from? I don't think I wrote that, I certainly didn't mean that. Sorry for the confusion if my question was unclear.
This is about a Tor-Server that's currently running with reject */*. I could accept port 53 (dns), but only if it was ok to force-redirect everything to my own dns-server. (Or simplified: I do not want people to send arbritrary tcp-traffic out of my port 53; but I would be ok with answering regular old DNS-queries.) For the large majority of users that wouldn't be a problem. However certain people might be annoyed or [theoretically] harmed if they are doing very specific things (see my original post), when they think they are talking to a specific DNS server but actually are not. Or in case they want to use port 53 for something else.
So I am interested if there is a certain "ethical" policy to follow when running a tor-node that says "never touch traffic, even if it's with good intent" or "never say you accept exit-traffic on a port, unless you are willing to pass through all traffic on that port without modification". And if there is no such policy/ethical-code, I'd be interested in hearing opinions whether such behaviour would be considered good or bad.
> Drop us a line if it's working, I was thinking about using that for my
> public hotspot. It's next to impossible to run an open Wifi-network in
> Germany without beeing frightened to get sued because of
> copyright-violations or something...
I haven't tried that specific script, but I am using a similar setup with openvpn elsewhere. It's certainly doable and not terribly complex.
> "Ringo Kamens" wrote:
> I don't know the technicals of DNS but it sounds like a great idea to
> me. One of the major problems tor faces (IMHO) is DNS resolution which
> isn't perfect.
I don't which specific kinds of problems you refer to, but technically there are no hurdles to what I want to do. If in fact there is bottleneck in exit-nodes that handle dns-resolution, then my approach may be interesting to other middleman nodes that have local dns-servers, or dns-caches and help increase that number. But like I said, I have no idea if that is actually a real problem. (And the above question remains whether it would be considered ok).
Regards
Herfel
--
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
Ideal für Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
More information about the tor-talk
mailing list