Sent from my iPhone 5
Am 01.08.2012 um 10:30 schrieb "Nicolas Braud-Santoni"
<nico...@braud-santoni.eu>:
> 2012/8/1 Roger Dingledine <a...@mit.edu>:
>> On Tue, Jul 31, 2012 at 11:21:01AM +0100, mick wrote:
>>> Question for tor developers. How hard would it be to change the logic
>>> (and syntax) of exit policy in tor to allow domain based formulations
>>> like:
>>>
>>> reject *.gmail.com
>>> reject *aol.com
>>
>> Very hard.
>>
>> https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#ExitpoliciesshouldbeabletoblockwebsitesnotjustIPaddresses
>
> Hi,
>
> While I see how allowing wildcards and domains in policies would be
> more than challenging, wouldn't it be possible to :
> - resolve domain-names at Tor startup, and get all associated A and AAAA
> records
> - Repeat when record's TTL is reached.
>
this wont work for shared hosts. You would block all websites on that server
not only the domains you wanted. You can only do that with intercepting http
like a proxy.
> Of course, it wouldn't work for sites that don't advertise all their IPs.
>
> It would also require the Exit node's operator to run some DNS
> resolver (or trust an external one), but locally running unbound (for
> example) is quite simple.
> Moreover, the risk evoked in the FAQ is already present : if I poison
> an exit node's DNS resolver, wouldn't I be able to replace nytimes.com
> A record with some bogon, like 0.0.0.0 ?
>
> Nicolas
> _______________________________________________
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
