Domain name based policies (was: Call for discussion: turning funding into more exit relays)

2012/8/1 Roger Dingledine <arma@mit.edu>:
Hi, While I see how allowing wildcards and domains in policies would be more than challenging, wouldn't it be possible to : - resolve domain-names at Tor startup, and get all associated A and AAAA records - Repeat when record's TTL is reached. Of course, it wouldn't work for sites that don't advertise all their IPs. It would also require the Exit node's operator to run some DNS resolver (or trust an external one), but locally running unbound (for example) is quite simple. Moreover, the risk evoked in the FAQ is already present : if I poison an exit node's DNS resolver, wouldn't I be able to replace nytimes.com A record with some bogon, like 0.0.0.0 ? Nicolas

Sent from my iPhone 5 Am 01.08.2012 um 10:30 schrieb "Nicolas Braud-Santoni" <nicolas@braud-santoni.eu>:
this wont work for shared hosts. You would block all websites on that server not only the domains you wanted. You can only do that with intercepting http like a proxy.
participants (2)
-
Administrator
-
Nicolas Braud-Santoni