[ooni-dev] Understanding how client resolver is determined
Khairil Yusof
khairil.yusof at sinarproject.org
Wed Aug 3 11:05:16 UTC 2016
On Rab, 2016-08-03 at 12:34 +0200, Arturo Filastò wrote:
> Hi Khairil,
>
> The system resolver is determined by querying a public service run by
> akamai called whoami.akamai.net.
>
> You can see our implementation of such service to see how it works
> here:
> https://github.com/TheTorProject/ooni-backend/blob/master/oonib/testh
> elpers/dns_helpers.py#L26
>
> We don’t use our own servers for doing this as we are assuming that
> using a public service vs using
> something hosted on a ooni.* domain is more stealth.
>
> The basic idea behind how it works is that you do an A lookup for a
> special domain and the delegated
> authoritative name server will reflect back the IP address from where
> the query originated.
>
> The reason why you are seeing a different IP than that where you are
> directing your queries to is that
> quite often DNS resolvers are deployed in a way where the machine
> actually doing the queries and
> then caching them are different than those where you make queries to.
>
> As an example with the google DNS resolver you will see this:
>
> $ dig +short whoami.akamai.net @8.8.8.8
> 74.125.47.143
>
> However you can confirm that actually that IP is in the range
> allocated to google:
>
> $ whois 74.125.47.143 | grep ^Organization
> Organization: Google Inc. (GOGL)
>
> Hope this answers your question.
>
> ~ Arturo
Thanks Arturo, that's a very clear explanation and also the pointer to
the code.
<snip>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/ooni-dev/attachments/20160803/58af17d5/attachment.sig>
More information about the ooni-dev
mailing list