tor provided me first warning of corrupted ISP name servers

Sven Anderson sven at anderson.de
Sun Aug 24 20:52:51 UTC 2008 

Am 24.08.2008 um 20:26 schrieb Drake Wilson:

> Quoth Sven Anderson <sven at anderson.de>, on 2008-08-24 19:08:57 +0200:
>> Are these tests done by the tor software? I think this tests are not
>> valid, since services like OpenDNS.com reply _every_ name with an
>> address:
>
> DNS semantics say that when a name does not exist, you receive an
> NXDOMAIN response.  Returning an arbitrary A record instead breaks the
> semantics of the Internet.  You may consider this valid for your own
> network, and that is okay, but inflicting changes to Internet
> semantics on Tor exit traffic is a classic bad exit scenario.

This is true for authoritative DNS servers. OpenDNS is not part of it,  
but a pure resolving service, so they can do what they want, and users  
can choose to use it ore not. But I see your point that there is a  
conflict if a Tor exit node is using such a service. But Tor node  
operators might be forced to use it, so I suggest to look at this with  
less dogma and more reason, trading off the pros against the cons.

> Supposedly it is possible to submit a control request to OpenDNS to
> turn this behavior off for certain source addresses; I haven't
> confirmed this first-hand.  If this is true, I imagine that Dan
> Kaminsky &c. would also tell people to issue this request if they
> started forwarding to OpenDNS for other unrelated people in a
> non-temporary fashion.

Kaminsky didn't mention it, at least not in his blog. He wrote for  
example on July 27:
"Patch, and verify the patch is working (NATs continue to be a  
headache).  If it’s not working, forward to something that is.   
OpenDNS has capacity to spare."
(http://www.doxpara.com/?p=1194)
You can switch off a lot of things, and I guess then they will also  
not answer the non-existing domains. However, that only works for  
static IP addresses (which is true for most Tor nodes I assume).

>> Can I switch off these tests in tor?
>
> Short answer: don't.

Well, if one is forced to use such a service, because his own DNS  
servers are vulnerable against the cache poisoning, he wouldn't be  
able to run a Tor node then.


Cheers,

Sven

-- 
http://sven.anderson.de    "Believe those who are seeking the truth.
tel:    +49-551-9969285     Doubt those who find it."
mobile: +49-179-4939223                                 (André Gide)

More information about the tor-talk mailing list