On Sun, 18 Apr 2010 09:54:31 -0500 Bill Weiss <houdini+...@clanspum.net> wrote: >Scott Bennett(benn...@cs.niu.edu)@Sun, Apr 18, 2010 at 03:18:47AM -0500: >> On Sat, 17 Apr 2010 21:54:16 -0400 Andrew Lewman <and...@torproject.org> >> wrote: >> >I may be misunderstanding the "using opendns with a misconfigured >> >account" statement. >> > >> Probably not. The OpenDNS servers, AFAIK, require a free account >> be established before they will answer queries about domains other than >> OpenDNS's own domain(s). That can be accomplished via their web site, >> which also allows the account holder to select various options, one of >> which determines whether the account holder wishes to have queries about >> certain domains be hijacked by OpenDNS in accordance with some list >> OpenDNS maintains. OpenDNS defaults to the censorship option, so an >> account holder has to make the effort of turning the censorship off. >> (Apparently, A RR queries for the ghcc.msfc.nasa.gov. domain are hijacked >> in that way.) The account holder can turn off all hijacking, supposedly, >> to get the same response they would get from a fully honest name server. >> tor exit operators are obligated to use name servers that give true >> answers, so an exit that is querying an OpenDNS name server and that has >> the highjacking "feature"--again, a Micro$lop usage of the word--enabled >> is therefore a BadExit. > >I'm not weighing in on the BadExit issue, just the technical details. >Anyone can use the OpenDNS resolvers without having an account with them. >You just don't get to toggle any of the options without doing so. I think
Oh. Okay. Thanks for the correction. >that, without an account, you get everything under "OpenDNS Basic" on >their website[1] ("Web content filtering", "Proxy/anonymizer blocking", >"Phishing protection" and "Botnet protection" being the ones we probably >care about here). Looks about right. > >Scott: if the current owner doesn't have an account set up, _you_ could go >to the OpenDNS page (via Tor so it come from that IP) and fix their >settings :) > >[1] http://www.opendns.com/start/ Tsk, tsk. Although I suspect that that would not actually violate the criminal statute about unauthorized access, it would nevertheless be quite unethical. Consider the possibility that, laying tor out of view for a moment, there are other uses being made of that computer and/or network for which such blocking might be desired by the owner, e.g., content blocking for a household full of children with several computers available to them on their home network. Granted, an exit should *not* be run in such an environment, but it is not anyone's business to muck with the configuration of someone else's computer or network. > >> Even though I no longer run an exit, I had been truly fed up with >> Comcast's hijacking name servers for a long time, so when Google started >> offering free and open access to honest, though logging, name servers >> at 8.8.4.4 and 8.8.8.8, I switched to them immediately. I'm not too >> worried about the logging, because very few name server queries leave >> my machine anyway, mainly thanks to tor. And if I were running an exit, >> it still wouldn't bother me much because nearly all queries leaving my >> machine would have nothing to do with anything I was doing at the time. >> I've procrastinated so far about setting up a small name server here, >> basically for cacheing, and I've gotten away with it, I suspect, largely >> because I discovered nscd(8) on my system and configured it for use. >> nscd can be configured to cache results in caches for hosts, passwd, >> group, services, protocols, and RPCs. Additional, system-particular >> caches can also be defined if one has the need to do so. > >Assuming your ISP doesn't damage your queries for you or redirect outgoing >port 53 activity to their servers, setting up Bind as a local resolver is >super easy. I'd be glad to help you out with a config if you'd like. > Thanks, but I used to run the primary for the local university long ago, as well as a few unofficial secondaries around the campus. I've just been lazy about setting one up because I haven't really needed one. And, as I wrote before, nscd has been a blessing, not only for A RR queries, but for several other data sets as well. I appreciate the offer, though. FWIW, most of the situations in which my current setup fails involve being disconnected from the ISP due to some outage or modem screwup, so having a name server running wouldn't really help anyway. I just checked again, and as of 8:49 a.m. CDT, there was still no BadExit flag assigned to PrivacyNow. :-( Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at cs.niu.edu * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * ********************************************************************** *********************************************************************** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/