BadExit flag still needed for PrivacyNow...
Scott Bennett
bennett at cs.niu.edu
Sun Apr 18 15:24:56 UTC 2010
On Sun, 18 Apr 2010 09:54:31 -0500 Bill Weiss <houdini+tor at clanspum.net>
wrote:
>Scott Bennett(bennett at cs.niu.edu)@Sun, Apr 18, 2010 at 03:18:47AM -0500:
>> On Sat, 17 Apr 2010 21:54:16 -0400 Andrew Lewman <andrew at torproject.org>
>> wrote:
>> >I may be misunderstanding the "using opendns with a misconfigured
>> >account" statement.
>> >
>> Probably not. The OpenDNS servers, AFAIK, require a free account
>> be established before they will answer queries about domains other than
>> OpenDNS's own domain(s). That can be accomplished via their web site,
>> which also allows the account holder to select various options, one of
>> which determines whether the account holder wishes to have queries about
>> certain domains be hijacked by OpenDNS in accordance with some list
>> OpenDNS maintains. OpenDNS defaults to the censorship option, so an
>> account holder has to make the effort of turning the censorship off.
>> (Apparently, A RR queries for the ghcc.msfc.nasa.gov. domain are hijacked
>> in that way.) The account holder can turn off all hijacking, supposedly,
>> to get the same response they would get from a fully honest name server.
>> tor exit operators are obligated to use name servers that give true
>> answers, so an exit that is querying an OpenDNS name server and that has
>> the highjacking "feature"--again, a Micro$lop usage of the word--enabled
>> is therefore a BadExit.
>
>I'm not weighing in on the BadExit issue, just the technical details.
>Anyone can use the OpenDNS resolvers without having an account with them.
>You just don't get to toggle any of the options without doing so. I think
Oh. Okay. Thanks for the correction.
>that, without an account, you get everything under "OpenDNS Basic" on
>their website[1] ("Web content filtering", "Proxy/anonymizer blocking",
>"Phishing protection" and "Botnet protection" being the ones we probably
>care about here).
Looks about right.
>
>Scott: if the current owner doesn't have an account set up, _you_ could go
>to the OpenDNS page (via Tor so it come from that IP) and fix their
>settings :)
>
>[1] http://www.opendns.com/start/
Tsk, tsk. Although I suspect that that would not actually violate the
criminal statute about unauthorized access, it would nevertheless be quite
unethical. Consider the possibility that, laying tor out of view for a
moment, there are other uses being made of that computer and/or network for
which such blocking might be desired by the owner, e.g., content blocking
for a household full of children with several computers available to them
on their home network. Granted, an exit should *not* be run in such an
environment, but it is not anyone's business to muck with the configuration
of someone else's computer or network.
>
>> Even though I no longer run an exit, I had been truly fed up with
>> Comcast's hijacking name servers for a long time, so when Google started
>> offering free and open access to honest, though logging, name servers
>> at 8.8.4.4 and 8.8.8.8, I switched to them immediately. I'm not too
>> worried about the logging, because very few name server queries leave
>> my machine anyway, mainly thanks to tor. And if I were running an exit,
>> it still wouldn't bother me much because nearly all queries leaving my
>> machine would have nothing to do with anything I was doing at the time.
>> I've procrastinated so far about setting up a small name server here,
>> basically for cacheing, and I've gotten away with it, I suspect, largely
>> because I discovered nscd(8) on my system and configured it for use.
>> nscd can be configured to cache results in caches for hosts, passwd,
>> group, services, protocols, and RPCs. Additional, system-particular
>> caches can also be defined if one has the need to do so.
>
>Assuming your ISP doesn't damage your queries for you or redirect outgoing
>port 53 activity to their servers, setting up Bind as a local resolver is
>super easy. I'd be glad to help you out with a config if you'd like.
>
Thanks, but I used to run the primary for the local university long
ago, as well as a few unofficial secondaries around the campus. I've just
been lazy about setting one up because I haven't really needed one. And,
as I wrote before, nscd has been a blessing, not only for A RR queries,
but for several other data sets as well. I appreciate the offer, though.
FWIW, most of the situations in which my current setup fails involve being
disconnected from the ISP due to some outage or modem screwup, so having
a name server running wouldn't really help anyway.
I just checked again, and as of 8:49 a.m. CDT, there was still no
BadExit flag assigned to PrivacyNow. :-(
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at cs.niu.edu *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list