Re: Re: Tips for Windows Update Over Tor
One can also use "Microsoft Baseline Security Analyzer" to check for needed updates and download them locally to be installed later offline... Its a utility that can be downloaded from M$ site itself. - Original Message From: Alexandru Cezar To: or-talk@freehaven.net Sent: Tuesday, August 18, 2009 2:35:27 AM Subject: Re: Re: Tips for Windows Update Over Tor > All depends on if _all_ the various MS updates and mechanisms are properly > signed/checked by the MS update mechanism. Otherwise, it's one massive > MITM hole. I've no idea on that. Yes, they are. Also, the way to go would probably be a third-party utility that download all required updates to install them later, offline. One that I can think of is c't Offline Update: http://www.heise-security.co.uk/articles/80682 Alexandru -- - www.posta.ro - Romanias first free webmail since 1998! _ - powered by www.posta.ro
Re: 3 questions about how to setup TOR proxy chain
I think you are mistaking tor with VPN If you want to control where exatly your connections go you should try other software. The whole idea of TOR is that it (the program) chooses self with its algorithm which nodes to use. If you were able to select intermediate nodes it would become a totally different product. I don't think that's a feature that would be wishful, anyway that's IMHO, maybe others have other ideas about this... - Original Message From: M To: or-talk@freehaven.net Sent: Friday, August 14, 2009 8:49:44 PM Subject: 3 questions about how to setup TOR proxy chain Hi, Could someone please answer these 3 questions (or point me to a place where I can find the answers): 1. I understand TOR uses 3 hops in its proxy chain. Is it possible to make it use less hops (i.ex: 1 or 2) or more hops (4, 5, ...) and how can I do this? 2. Is it possible to define the nodes to use, so that TOR will only use these nodes in the chain and no other (i.ex: select 50 nodes, and TOR will randomly chose 3 nodes out of these 50 and not use the 1500 other nodes)? 3. To add on point 2 above, is it possible to "statically" select 3 nodes (i.ex 2 middle nodes + 1 exit") and only use these 3? (I know about the anonymity problems this may create, I'd only like to know if it is possible and how to do it). PS: I have already searched, and could only find some answers on how to select the exit node (.exit), but not on how to configure the proxy chain. Thanks a lot.
Re: Version checking (was Re: 25 tbreg relays in directory)
--- On Wed, 4/29/09, Dominik Schaefer wrote: > From: Dominik Schaefer > Subject: Re: Version checking (was Re: 25 tbreg relays in directory) > To: or-talk@freehaven.net > Date: Wednesday, April 29, 2009, 7:18 AM > On 29.04.09 12:33, Tripple Moon wrote: > >> Also what would be gained from a CRC based on the > *binary*? > >> Wouldn't that change according to the system > that compiled it? > > Yes it *will* chance depending on the compiled > (source-)version and architecture and compiler used. > > But those variables are far less in quantity as the > possible individual modified versions > It will not only change with architecture, exact versions > of compiler and OS, > and source code revision (think of all the people using the > svn/git repo), but > also with compiler options controlling optimization/code > generation, ABI, > statically vs. dynamically linked libs and probably a bunch > of other. As you > combine all these you create a huge amount of possible > permutations. > But it is anyway useless, because any client can upload any > data it wants to > and claim it is its own binary. > BTW: Do you know, that there are independent > implementations of Tor based on > the official design documents? And that this is actually > encouraged by the > authors of Tor? > BTW2: Your approach of locking out other implementations > contradicts any idea > of open source and inter-operability. Yes I agree that those other factors, which were not mentioned yet, are ofcourse also elements to take into account for differences. And like i previously already admitted this is a difficult topic to make foolproof. (much like making any software foolproof infact) But...i disagree with your argument that my approach would contradict the idea of Open-Source as that has noting todo with program's operational logic but more with the public availability of the source codes. Same with interoperability which is also based on operational logic embedded in software... About those independent implementations: Ofcourse its a great way to improve any software that is Open-Source to allow independent modifications to the source code. But if those changes remain unknown to the development-team of the original software project, then *thats* where problems arise... Not only from a security P.O.V. but perhaps also concerning licensing violations... IMHO, all and i mean *all* modifications of the original code and/or design should be committed to the development-tree, that's how things get improved and fixed etc by the community that maintains the development of the project. We all know how M$ started, right old-guys around? ^^ (Yes billy G. there are still ppl walking around the planet who wont forget how you started that buggy OS) A---NNN---YYY--wayyy I think we all agree that there is a growing need to "somehow" keep the tor network operating at maximum compatibility and stability. If the tor application wont get means to authenticate itself's internals, then im afraid (IMHO) we will be looking at a future with *many* independent tor networks who are not connected to each others cloud because of differences...
Re: Version checking (was Re: 25 tbreg relays in directory)
--- On Wed, 4/29/09, Scott Bennett wrote: [cut] > >All of the above can be waifed void, when those > versions are announced on the mailing list. > > "Waifed"? What language are you borrowing > that from? And what does > it mean? "Waif" in English is a noun having a > meaning that bears no > obvious connection to this discussion. > Hmm...on the off-chance that you intended to type > "waived", I think I > can see an intended meaning, although the use of the word > is still incorrect in this context. Yes apologies for my non-perfect English, im not a native English speaking person :) What i mean was those arguments can be eliminated. (better now? :D)
Re: Version checking (was Re: 25 tbreg relays in directory)
--- On Tue, 4/28/09, Ted Smith wrote: > From: Ted Smith > Subject: Re: Version checking (was Re: 25 tbreg relays in directory) > To: or-talk@freehaven.net > Date: Tuesday, April 28, 2009, 10:51 PM > On Tue, 2009-04-28 at 03:01 -0700, Tripple Moon wrote: > > --- On Tue, 4/28/09, Scott Bennett > wrote: > > > > > From: Scott Bennett > > Subject: Re: 25 tbreg > > relays in directory > To: or-talk@freehaven.net > > Date: Tuesday, April > > 28, 2009, 12:57 AM [cut for clarity] > That > brings up something > > that has bothered me for a > long time. When > > tor discovers that its > > version doesn't match any in > either > client-versions > or > > server-versions, it currently writes complaints about > it > to the > > log(s), > but seems to do nothing further about > it. I'd like to > see > > either of the > following. > > a) Addition > of three lines to the > > consensus documents to > prevent use >of > unsafe versions of tor > > [etc...cut for clarity] I also agree that there > should be version > > checking, i didn't even know it wasn't done > so already... :( I would > > furthermore suggest to build a version fingerprint > that uses some > > remotely calculated CRC value of the client. My > reason for that is to > > prevent the tor network to be poluted by specialy > "tweaked/altered" > > versions, which might endanger the security of the > whole network. (Let > > your imagination do a free run on possibilities in > such cases). By > > "remotely calculated CRC-value of the > client" i mean that the > > destination does the CRC calculation of the > connecting client. Yes > > this means the client needs to send all of its > binary-self to the > > destination. After this CRC-value has been calculated > _once_ by a > > destination, that destination should announce the > presence of the > > client to the whole network if its a valid client > (not matter in what > > mode it runs). These CRC-values could be centrally > maintained by the > > tor-development center and made accessible public or > by a hidden > > service. > > > > IMHO, this kind of "login procedure to enter the > tor-network" will make it more secure and manageable. > > Again, i have _no_ idea at present how the tor program > handles things at present, so if its already done like that > or even better just disregard what i wrote :D > > > > > So you propose sending the whole of the Tor binary over the > network, > having the authority do a CRC on it, and using that to > check for > validity? Just making sure I have the right impression. Well yes kind-of... But instead of the binary on file, the binary in memory... And the check could just as well be done by another already accepted node. Just like the trust rings work for SSL certificates, when a trusted certifacate issues a trust for another
Re: Version checking (was Re: 25 tbreg relays in directory)
--- On Tue, 4/28/09, Jim McClanahan wrote: > From: Jim McClanahan > Subject: Re: Version checking (was Re: 25 tbreg relays in directory) > To: or-talk@freehaven.net > Date: Tuesday, April 28, 2009, 12:01 PM > > By "remotely calculated CRC-value of the > client" i mean that the > destination does the CRC calculation of the connecting > client. > > Yes this means the client needs to send all of its > binary-self to the destination. > > That would be a pretty big upload for a dial-up user! yes thats true, i admit thats a valid con argument. > > I am also wondering what kind of danger you think a > *client* can have > for the Tor network. Well AFAIK (from reading the global discourse), there seem to be some nodes primarily setup to monitor and/or (try-to) disrupt the data flow of the tor network by using altered clients with "enhanced/added" routines... Don't ask me to provide links, because i don't keep bookmarks of random info i read while searching for other info... (It could also be my personal distrustful mind playing tricks on me) > > And if somebody wanted to circumvent, I would think the > client could be > modified so that when it claimed to be uploading itself, it > was actually > uploading a copy of an unmodified binary. Am I missing > something? Well yea thats upto the implementation of this behavior, and i wholeheartedly would suggest to _not_ allow any uploads of external files. By external files i mean using file-open routines, it should only upload the current running instance of the tor-application. And ofcourse like you already mentioned they could create a modified version which indeed does what you say. So this is a hard-egg to crack for me personally atm :) > > Also what would be gained from a CRC based on the *binary*? > Wouldn't > that change according to the system that compiled it? Yes it *will* chance depending on the compiled (source-)version and architecture and compiler used. But those variables are far less in quantity as the possible individual modified versions
Re: Version checking (was Re: 25 tbreg relays in directory)
first off, please only reply to the mailing-list address otherwise ppl like me are getting your messages double, just like you will get now... --- On Tue, 4/28/09, Scott Bennett wrote: [cut for clarity] > Laying aside for the moment the matter of how the rest > of the tor nodes > should determine the trustworthiness/credibility of the tor > instance making > the announcement or even why the tor network, either as a > "whole" or as > individual nodes, should care about the integrity of a > client (!), how to you > propose to calculate a verification digest--a CRC would not > likely be > considered adequately reliable--based upon the executable > binary of software > that > a) comes in many successive version, > > b) can be compiled for many hardware architectures, not > all of which > are necessarily known to the developers, > > c) can be compiled for many operating systems, not all of > which are > necessarily known to the developers, and > > d) can be compiled by untold numbers of versions of many > compilers, > not all of which are necessarily known to the developers? All of the above can be waifed void, when those versions are announced on the mailing list. > > >IMHO, this kind of "login procedure to enter the > tor-network" will make it more secure and manageable. > > More secure and manageable for whom?? Big Brother? > Obviously not for > the supposedly anonymous tor user...jeesh. Ofcourse not silly - More secure for the "anonymous tor user" because he will be forced to upgrade its client to stay connected to the tor-network, if (s)he doesn't upgrade his/her insecure client (s)he will be denied by other tor's to the network. - More manageable for the tor development team, because they will know exactly which versions are being used by current users of the tor program. > > >Again, i have _no_ idea at present how the tor program > handles things at present, so if its already done like that > or even better just disregard what i wrote :D > > > It doesn't, and it shouldn't.
Version checking (was Re: 25 tbreg relays in directory)
--- On Tue, 4/28/09, Scott Bennett wrote: > From: Scott Bennett > Subject: Re: 25 tbreg relays in directory > To: or-talk@freehaven.net > Date: Tuesday, April 28, 2009, 12:57 AM [cut for clarity] > That brings up something that has bothered me for a > long time. When > tor discovers that its version doesn't match any in > either client-versions > or server-versions, it currently writes complaints about it > to the log(s), > but seems to do nothing further about it. I'd like to > see either of the > following. > > a) Addition of three lines to the consensus documents to > prevent use > of unsafe versions of tor [etc...cut for clarity] I also agree that there should be version checking, i didn't even know it wasn't done so already... :( I would furthermore suggest to build a version fingerprint that uses some remotely calculated CRC value of the client. My reason for that is to prevent the tor network to be poluted by specialy "tweaked/altered" versions, which might endanger the security of the whole network. (Let your imagination do a free run on possibilities in such cases). By "remotely calculated CRC-value of the client" i mean that the destination does the CRC calculation of the connecting client. Yes this means the client needs to send all of its binary-self to the destination. After this CRC-value has been calculated _once_ by a destination, that destination should announce the presence of the client to the whole network if its a valid client (not matter in what mode it runs). These CRC-values could be centrally maintained by the tor-development center and made accessible public or by a hidden service. IMHO, this kind of "login procedure to enter the tor-network" will make it more secure and manageable. Again, i have _no_ idea at present how the tor program handles things at present, so if its already done like that or even better just disregard what i wrote :D
Re: exit counts by port number over 61 days
--- On Fri, 4/17/09, Juliusz Chroboczek wrote: > From: Juliusz Chroboczek > Subject: Re: exit counts by port number over 61 days > To: or-talk@freehaven.net > Date: Friday, April 17, 2009, 6:14 PM > > A better [idea] would be, again IMHO, open a list of > ports used by > > "normal-use of the tor-network", and block > the rest. [...] > > > Web (80,443), Pop3 (*), NNTP (*), DNS (53), Torrent > (default 6881), FTP > > (20/21). > > Moon, > > Please don't give this kind of advice. Somebody might > think you know what > you're speaking about. The beauty of internet is that everyone can write its own opinions (see my IMHO) and let the rest decide if the writer (you included) knows what (s)he is writing about... > > Your list includes Bittorrent, which is a highly optimised > protocol for sending massive amounts of data. > Running BT over the tor network is considered as an abuse of the network. ASFAIK, its up to the operator of relays and exit-points to decide what they label as abuse or not, and as a result choose to reject data on that port. > > Your list doesn't include for example 22 (ssh), which > is absolutely essential for many of us. Well see...from my point of view SSH is abuse of the tor-network, namely aiding in hacking other systems. (see my other posts for my logic) To use SSH you need an account thats under normal circumstances is known on the other side, thus eliminating the need to anonymize your connection. So yea i will advice all that read this to reject that port whole heartly... IMHO, the intentions of the tor-network are to provide anonymity for data connections where the other side does not _need_ to know who the originator is. If i'm wrong there i'm sure it will be told so by many instead of one...
Re: tor with OpenDNS as default DNS, using Firefox+FoxyProxy
--- On Thu, 4/16/09, Andrew Lewman wrote: > From: Andrew Lewman > Subject: Re: tor with OpenDNS as default DNS, using Firefox+FoxyProxy > To: or-talk@freehaven.net > Date: Thursday, April 16, 2009, 8:35 PM > On Thu, 16 Apr 2009 14:42:56 -0700 (PDT) > Tripple Moon wrote: > > By "personally chosen domains" i mean, to be > exact, domains that > > serve advertising. IMHO, having access to adverts is > not part of the > > info a user actually is searching for in its normal > browsing work. > > (exceptions are far less as the majority of > regular-usage) IMHO by > > blocking these domains the tor-network will speedup > considerably > > because there won't be need to transfer "that > garbage" :) > > For the same reason I don't use a 3rd party blacklist > for spam > filtering, I don't want my traffic filtered by a tor > exit node. If you > do, great, but don't force it on everyone else. > [cut for clarity] I felt warm while agreeing with you there :D That's why i have setup privoxy now. But i still have a problem with DNS (still on-topic :P). My relay needs a public accessible "non-poluted" DNS-server, so it won't get flagged as bad-exit. Hmmm would it help to reject port 53 as exit in this case? > I use a firefox extension called Request Policy to not grab > different domains than the one I'm requesting, many of which > happen to be click-tracking and advertising networks. > For now, coupled with torbutton, this is all I need. Hmm i never used that extension, thx for mentioning it, i will surely look it up soon.
Re: exit counts by port number over 61 days
--- On Thu, 4/16/09, Scott Bennett wrote: > >There are plenty of other ports to do this on, though - > >many of them far more common than 1080 (and SOCKS) nowadays. > > > Right. I think I'll hold off a bit longer to see > what other comments > people may make here before I close that port. > BTW, I am still very interested in reading any > comments people may have > regarding patterns or anything else they notice in the exit > counts that I posted here. > I looked for the most obvious stuff, but there may be other > weirder stuff going on involving port numbers that had > fewer, yet still significant numbers of, exits. My guess is that this wide range of used ports is caused by port scanners. The reason, IMHO, that they have seemingly different (read random) usage counts is because the tor-network chooses exit points on its own, and thus some probes, from same origin, are being directed at other exit-points rather than all to yours. These port probes/scans don't all have to be necessarily ill-minded, because some users might as well have done probes to their own machines to check for security. You might get better decision making arguments for your self if you could correlate the port usage with client requests. That way you could see if they are indeed port-range probes. Normally you would log IP#'s, but with the tor-network as origin that kind-of is out of the question. Im not sure if you can somehow intercept the tor-client-ID, or whatever it's called that's unique, that originated the connection. IMHO, it's rather a bad decision to allow _all_ ports to be used for exit. A better one would be, again IMHO, open a list of ports used by "normal-use of the tor-network", and block the rest. By "normal-use of the tor-network" i mean: The software that people, who use this network with non-ill intentions, use. Or if you reverse the idea, you get: The software that people with ill-intentions would most likely use. (and block those ports) For me personally the ports that all exit-points should allow is (IMHO): Web (80,443), Pop3 (*), NNTP (*), DNS (53), Torrent (default 6881), FTP (20/21). (*) These are gray-area IMHO because they are more likely used for "ill" as "non-ill" -behavior over the tor-network intentions. Example why i dont list other ports like telnet: If a user uses telnet to connect to some machine, his/her identity is normally known on that machine otherwise that user would not have a telnet account, thus eliminating the need to connect using the tor-network. When you apply that logic to any port you want to open/close, you will come to good reasons why to open or close it. (Whoa sometimes i have to restrain myself when thinking aloud in text) Anyway gl.
Re: tor with OpenDNS as default DNS, using Firefox+FoxyProxy
--- On Tue, 4/14/09, Curious Kid wrote: > From: Curious Kid > Subject: Re: tor with OpenDNS as default DNS, using Firefox+FoxyProxy > To: or-talk@freehaven.net > Date: Tuesday, April 14, 2009, 2:48 AM > - Original Message > > From: Tripple Moon > > To: or-Talk Mailinglist > > Sent: Monday, April 13, 2009 3:47:50 PM > > Subject: Re: tor with OpenDNS as default DNS, using > Firefox+FoxyProxy > > > > > Faking the address resolution does not alter the > > > tracking abilities of web sites in the slightest. > > Well there you are dead wrong sorry to disagree here. > > Websites that track by IP-access are blocked this way. > > Ofcourse, i know there are plenty of other ways to > track visitors, but > > IP-tracking is one that can be eliminated by _not_ > accessing certain web servers > > at all in the 1st place... > > Are you saying that a solution to prevent websites from > tracking their visitors is to have a third party block to > have a content-based filter in case some of the blocked > websites also happen to have IP tracking enabled (or are > under some form of surveillance)? Is this really what you > mean? How does this solution help when the traffic is coming > from a Tor exit node and is reasonably well anonymized? The tracking site still tracks access when hit on, ok in that case it will track the exit point, but i want to prevent them to track at all... Yes im allergic to adverting companies that impose their needs on users without the user actually asking for it. > > > My intentions were not to corrupt the tor service but > to cleanup corruption of > > DNS servers used at certain locations in the world by > authorities, and at the > > same time block some personally setup domains for my > own LAN-access. > > > > Try to look at the big-picture what i want to > accomplish as a whole, not just > > from tor's P.O.V. > > I want to circumvent the poluted DNS-service of my > ISP/country and at same time > > block personally chosen domains. > > What do you think national authorities would say about > someone in their country openly providing access to Internet > content that they have blocked? Why would someone want to > block content that has not already been blocked by the > authorities? Perhaps because that someone has other opinions as the authorities in that country? > > Can you share with us in what way Turkish DNS servers are > corrupted? If you think that would be off-topic here, feel > free to email me directly, as I would be personally very > interested in specific examples of Turkish content > filtering. You want examples..ok...try accessing YouTube/geocities/etc from within Turkey You get the idea i hope. Some countries authorities are just mentally in the stone age in respect to the internet and personal responsibility while accessing information of any kind. As an adult i can make certain choices for myself, i don't need nor want those choices made for me by 3rd parties > > Does OpenDNS allow blocking on a per-domain basis? All I > could get from their website was their list of content > categories from which an operator could choose. May I ask, > which domains and content categories were you interested in > blocking? Also, why impose the same blocking that you would > use for your own LAN-access upon any Tor user that happens > upon your exit node? Would it not be better to have any > blocking in your exit policy so that users interested in > content that you have blocked may instead route around you > rather than see your personal message to them? Yes you can setup personal domains to block in your blocklist, besides the ones that have been categorized. My blocklist is entirely composed of advertising servers not already categorized and blocked by the categories for adverts. Im not interested in anykind of personal message delivered to the users, except the info of the blocking action. IMHO imposing blocking of data transfer of advertisers is just a matter of accelerating webaccess over the tor-network.
Re: tor with OpenDNS as default DNS, using Firefox+FoxyProxy
--- On Tue, 4/14/09, Sven Anderson wrote: > From: Sven Anderson > Subject: Re: tor with OpenDNS as default DNS, using Firefox+FoxyProxy > To: or-talk@freehaven.net > Date: Tuesday, April 14, 2009, 9:36 AM > Am 13.04.2009 um 15:47 schrieb Tripple Moon: > > > Try to look at the big-picture what i want to > accomplish as a whole, not just from tor's P.O.V. > > I want to circumvent the poluted DNS-service of my > ISP/country and at same time block personally chosen > domains. > > You always have to make clear about what you are exactly > talking about. Are you talking about blocking parts of your > personal access or also the access of all users that are > exiting through your Tor-relay? The first is ok, the second > not. > > Sven By "personally chosen domains" i mean, to be exact, domains that serve advertising. IMHO, having access to adverts is not part of the info a user actually is searching for in its normal browsing work. (exceptions are far less as the majority of regular-usage) IMHO by blocking these domains the tor-network will speedup considerably because there won't be need to transfer "that garbage" :)
Re: tor with OpenDNS as default DNS, using Firefox+FoxyProxy
--- On Mon, 4/13/09, Scott Bennett wrote: [cut for clarity] > >When i set my client to not resolve DNS queries using > the tor network i get the warning messages. > >(Which ofcourse are as expected) > > I think you may be confusing various operations that > occur in differing > situations. Your *tor* client will always attempt to [cut for clarity] Yes, read carefully, i said client not "tor-client" meaning fe. a browser. > >My reason(s) for this scenario is so that: > >1) I am able to use custom DNS-Servers for both my > client and others that use my exit point, without the > warning messages. > > What precisely do you mean by "custom DNS-Servers"? Like i explained in my other reply: "custom DNS-Servers" means "other DNS servers as the default ones of the ISP". > > >2) My, the operators, custom DNS-Servers can speedup > _and_ aid in anonymity by blocking/re-directing certain > domain names to other IP's. > >Which will, in the case of OpenDNS, return a small HTML > with a message telling its blocked. [cut for clarity] > >Preventing the access to specific domains will, IMHO, > improve anonymity for both the relay operator and the client > using it as exit point. > > Preventing access to destinations is only > appropriately done via proper > specification of your restrictions in ExitPolicy lines in > torrc. But this only applies to external tor-clients accessing the tor-relay through the tor network, not the local clients connecting to the local tor-client. > >I came-up with this scenario because i wanted to > speedup the user experience _and_ kill the webs tracking > behaviors as much as i can. > > Faking the address resolutions is simply a > characteristic of a bad exit > relay. Faking the address resolution does not alter the > tracking abilities of web sites in the slightest. Well there you are dead wrong sorry to disagree here. Websites that track by IP-access are blocked this way. Ofcourse, i know there are plenty of other ways to track visitors, but IP-tracking is one that can be eliminated by _not_ accessing certain web servers at all in the 1st place... > > > >So i admit i understand that for my scenario to work > without the warning messages tor needs an extra config > option to allow IP-only requests from custom listed IP's > in its torrc file. > >(fe. localhost/127.0.0.1 for the local client) > > We definitely do *not* need the sort of corruption of > service that you > wish to employ. Please disabuse yourself of such notions. I agree looking at the subject from your point of view. My intentions were not to corrupt the tor service but to cleanup corruption of DNS servers used at certain locations in the world by authorities, and at the same time block some personally setup domains for my own LAN-access. > > > >I understand that one can use Privoxy for even more > advanced filtering, but a simple DNS-based filtering system > is more than enough for most of the web-tracking systems > IMHO. > > I can't make sense out of that at all. > > >Besides this approach will even enable tor to utilize > bind+rbl :) > >It's just IMHO the next step towards _more_ > anonymity... > > ?? Try to look at the big-picture what i want to accomplish as a whole, not just from tor's P.O.V. I want to circumvent the poluted DNS-service of my ISP/country and at same time block personally chosen domains. FYI: Bind = The defacto DNS server software used on unix since...well lets say forever. :) (http://en.wikipedia.org/wiki/BIND) RBL = Real-time Blackhole List (http://en.wikipedia.org/wiki/DNSBL#Terminology)
Re: tor with OpenDNS as default DNS, using Firefox+FoxyProxy
Note: Please only reply to the mailinglist _only_, every time you reply i get about 3 (three) emails with same content because you include my email addy as recipient also... One email from the or-talk mailing list is enough to read your responses :) --- On Mon, 4/13/09, Scott Bennett wrote: > From: Scott Bennett > Subject: Re: tor with OpenDNS as default DNS, using Firefox+FoxyProxy > To: or-talk@freehaven.net, "Tripple Moon" > Date: Monday, April 13, 2009, 1:01 AM > On Sun, 12 Apr 2009 09:05:07 -0700 (PDT) Tripple Moon > wrote: > >--- On Mon, 4/6/09, Scott Bennett > wrote: [cut for clarity] > >My reason(s) for this scenario is so that: > > I missed this in my latest response: > > >1) I am able to use custom DNS-Servers for both my > client and others that use my exit point, without the > warning messages. > > Those warning messages are caused by client-side code > in tor in response > to requests made to its SOCKS port; they are not issued as > a result of your relay providing exit services. ofcourse...did i argument otherwise? > > >2) My, the operators, custom DNS-Servers can speedup > _and_ aid in anonymity by blocking/re-directing certain > domain names to other IP's. > >Which will, in the case of OpenDNS, return a small HTML > with a message telling its blocked. > > Providing such a page as a substitute for a response > from the proper > destination is in itself justification for immediate > classification of your > exit relay as a bad exit. *Any* alteration/substitution of > data qualifies the culpable exit relay for a BadExit flag. Ofcourse i know tor does this, which is in theory the proper way but How does tor classify "proper destination"? By doing DNS lookups and comparing the answers right? That's a real problem for tor-operators in countries where DNS-queries are being intercepted by the authorities in certain countries... The only way for tor-operators in that kind of environment is to use "custom DNS-servers" or put differently "other DNS servers as the default ones of the ISP". In my current case Turkey, which redirects DNS-answers to block certain domains. So yes what i want to do is about same as they do but under my own control of which ones get blocked. The question that remains is: "How can i keep a tor relay running without being flagged as bad, while still doing custom blocking on the tor-client side?" Brainstorming on my own: I assume the only way is using a proxy _before_ the SOCKS connection to the tor-client, and setting up tor to use "custom DNS-servers" (term as explained above). But which DNS-server IP's to use in "resolve.conf" because the nation's DNS servers are polluted...
Re: tor with OpenDNS as default DNS, using Firefox+FoxyProxy
--- On Mon, 4/6/09, Scott Bennett wrote: > >>3) Same as (2) but this time i used the follwing > config options in torrc: > >> 'ServerDNSResolvConfFile C:\Program > Files\Tor\resolv.conf' and > 'ServerDNSDetectHijacking 0' > >> With the OpenDNS servers, correctly, listed in > the 'resolv.conf' file. > > > > You are running tor as a relay, as well as as a > client? Your 3) affects > >only relay operations, of course, not client > operations. And, AFAIK, the only > >relay operations affected are exit services, so unless > you're running tor as > >an exit relay, the stuff you did in 3) should > effectively change nothing. Yes indeed im running tor as both relay and client. When i set my client to not resolve DNS queries using the tor network i get the warning messages. (Which ofcourse are as expected) > > > >> My scenario-goal does _still_not_ work because > the DNS queries are still seemingly resolved by the tor-exit > point. > >> > > Correct. > > > >>So uhmmAnyone have any ideas how i can > accomplish my scenario-goal? > >> > > You haven't mentioned your reason(s) for > wanting to do such a thing. > >I surmise that you do not intend to use tor for > anonymity but rather for some > >other end, such as tunneling through a firewall. tor, > however, is designed > >with the aim of preserving anonymity, so it issues > those messages to let the > >user/operator know that some application *may* be > breaking anonymity. If > >your aim is different from that of tor, you may just > have to put up with the > >messages. Given that the messages are logged to a > file, if anywhere, is that > >a problem? You don't *have* to look at them, after > all. My reason(s) for this scenario is so that: 1) I am able to use custom DNS-Servers for both my client and others that use my exit point, without the warning messages. 2) My, the operators, custom DNS-Servers can speedup _and_ aid in anonymity by blocking/re-directing certain domain names to other IP's. Which will, in the case of OpenDNS, return a small HTML with a message telling its blocked. Preventing the access to specific domains will, IMHO, improve anonymity for both the relay operator and the client using it as exit point. I came-up with this scenario because i wanted to speedup the user experience _and_ kill the webs tracking behaviors as much as i can. So i admit i understand that for my scenario to work without the warning messages tor needs an extra config option to allow IP-only requests from custom listed IP's in its torrc file. (fe. localhost/127.0.0.1 for the local client) I understand that one can use Privoxy for even more advanced filtering, but a simple DNS-based filtering system is more than enough for most of the web-tracking systems IMHO. Besides this approach will even enable tor to utilize bind+rbl :) It's just IMHO the next step towards _more_ anonymity... Oh and about the message and me not needing to look at them: They are logged to stdout and presented in the log-window of vidalia. The rest of the messages are still important enough to be seen by the operator.
tor with OpenDNS as default DNS, using Firefox+FoxyProxy
Hi all, This is my 1st posting to this list but nevertheless ill start straight away with a question/problem if you all don't mind :) The scenario i want to accomplish is: Using the tor network while DNS queries are resolved using the DNS-servers of OpenDNS without tor complaining with warnings about client supplying only IP-addresses. What i have done sofar is: 1) I have setup my firefox to use FoxyProxy to contact tor on my localmachine 127.0.0.1 on its default 9050 port as socks proxy. I have _disabled_ "Use socks proxy for DNS lookups". My scenario-goal works but, this gives the very annoying warning messages, which btw are ofcourse totally to be expected in this case. 2) Same as (1) but this time have _enabled_ "Use socks proxy for DNS lookups". My scenario-goal does _not_ work because the DNS queries are resolved by the tor-exit point. 3) Same as (2) but this time i used the follwing config options in torrc: 'ServerDNSResolvConfFile C:\Program Files\Tor\resolv.conf' and 'ServerDNSDetectHijacking 0' With the OpenDNS servers, correctly, listed in the 'resolv.conf' file. My scenario-goal does _still_not_ work because the DNS queries are still seemingly resolved by the tor-exit point. So uhmmAnyone have any ideas how i can accomplish my scenario-goal?