Am Sun, 12 Mar 2017 03:18:59 -0400 schrieb "Walter Dnes" <waltd...@waltdnes.org>:
> Starting a separate topic, rather than hijack the main thread... > > On Fri, Mar 10, 2017 at 01:50:26PM -0600, Corbin Bird wrote > > > > 6 # : ISP is starting to filter customers web access. The ISP is > > deciding what sites customers are allowed to see. ( look up the > > practice called "ransom" ). > > Does this consist of grabbing outbound traffic to port 53? If so, I > wonder if the following is possible... > > * Can a POTS dialup or a wifi connection co-exist with a broadband > connection? It would make the network config and route config more > complex. Complex? Not really. Just put static DNS IPs into your resolver config, and add a static route for these destinations: for tunnel devices like ppp: # route add 8.8.4.4 dev ppp-interface or for LAN router: # route add 8.8.4.4 gw ip-of-your-dialup-router And then do not let the dialup line set a default route. > * If yes, can iptables be used to redirect only outbound-to-port-53 > traffic to the dialup/wifi connection, with everything else going to > the broadband connection? You could but this becomes more complicated. I think this would have to go into the pre-routing chain. But I don't recommend fiddling around with that. > * Another option, if you know the alternate DNS server address in > advance, set up routing of the /32 (for the alternate DNS server) > to ppp0 or wlan0 with higher priority than the default route. This > doesn't require any iptables magic. As stated above... And you don't need to set higher priority. The best matching rules are always tried before routing rules with lower matching destinations, that means /32 destination rules are matched before /24 destination rules, and so forth. The default gateway is matching IP destination 0/0. The priority is only considered when multiple equally matching rules are found. Just remove the default route via the ppp route to ensure nothing else will go over the slow link. > * Can the standard linux network stack handle this properly, and use > incoming DNS responses from the dialup/wifi connection for the IP > addresses of websites, etc to be accessed via broadband? I don't see problems here. DNS is one request, HTTP is another. As long as your broadband DNS doesn't resolve to some proxy IPs all should be fine. > DNS traffic is low volume, usually fitting into 1 packet. So it > would be feasible to divert DNS requests to a lower-speed connection. > The broadband ISP would handle all the highspeed website, etc, traffic > but it would not see any DNS traffic, and would not be able to > intercept it. Yes. -- Regards, Kai Replies to list-only preferred.
