On Dec 7, 2009, at 10:18 PM, Lou Katz wrote: > On Mon, Dec 07, 2009 at 09:48:25PM -0500, Steven Bellovin wrote: >> >> On Dec 7, 2009, at 6:00 PM, Jared Mauch wrote: >> >>> >>> On Dec 7, 2009, at 5:29 PM, John Levine wrote: >>> >>>>> Will be interesting to see if ISPs respond to a large scale thing like >>>>> this taking hold by blocking UDP/TCP 53 like many now do with tcp/25 >>>>> (albeit for other reasons). Therein lies the problem with some of the >>>>> "net neturality" arguments .. there's a big difference between "doing it >>>>> because it causes a problem for others", and "doing it because it robs >>>>> me of revenue opportunities". >>>> >>>> I do hear of ISPs blocking requests to random offsite DNS servers. >>>> For most consumer PCs, that's more likely to be a zombie doing DNS >>>> hijacking than anything legitimate. If they happen also to block >>>> 8.8.8.8 that's just an incidental side benefit. >>> >>> I've found more and more hotel/edge networks blocking/capturing this >>> traffic. >>> >>> The biggest problem is they tend to break things horribly and fail things >>> like the >>> oarc entropy test. >>> >>> They will often also return REFUSED (randomly) to valid well formed DNS >>> queries. >>> >>> While I support the capturing of malware compromised machines until they are >>> repaired, I do think more intelligence needs to be applied when directing >>> these systems. >>> >>> Internet access in a hotel does not mean just UDP/53 to their selected >>> hosts plus TCP/80, >>> TCP/443. >> >> It's why I run an ssh server on 443 somewhere -- and as needed, I ssh-tunnel >> http to a squid proxy, smtp, and as many IMAP/SSL connections as I really >> need...
Also handy to set up an SSH tunnel. That works for almost everything else. J