Skip to Content.
Sympa Menu

discuss - [opennic-discuss] Alternate query methods

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

[opennic-discuss] Alternate query methods


Chronological Thread 
  • From: Jeff Taylor <shdwdrgn AT sourpuss.net>
  • To: OpenNIC discussion <discuss AT lists.opennicproject.org>
  • Subject: [opennic-discuss] Alternate query methods
  • Date: Fri, 16 Dec 2011 23:41:00 -0700
  • List-archive: <http://lists.darkdna.net/pipermail/discuss>
  • List-id: <discuss.lists.opennicproject.org>

Due to some ISPs meddling with user's DNS queries, some people have tried alternate connection methods to obtain OpenNic DNS queries. From this was born the use of port 5353 (available on a few of the T2 servers), which so far has resolved the issue for those who need it. However this will not always be the case, as many locations are already using packet inspection to filter the information.

Taking this to the next step, I would like to suggest we start testing out dns-over-ssh. The server side would be set up to accept logins on port 5322 (dns/ssh) using a public RSA key, and accept the queries via that port. The client side would create an ssh tunnel with a fifo to pipe the DNS queries over SSH. This is fairly easy from linux using ssh and socat, however someone else would need to do the research on methods to do this in Windows. The nice thing about an SSH tunnel is that it eliminates the need for any other special software -- once the tunnel is in place, all DNS queries from all of your software will automatically be piped through the tunnel to the destination of your choice.

This could open up OpenNic to areas that have previously been blocked by company or country-wide firewalls - for instance allowing someone in China to set up a T2 server that could freely obtain the updated zones from other locations via the ssh tunnel. Servers could control access to their DNS by only accepting ssh connections from users who have the RSA key. Creating these tunnels allows us to build customized security measures on both the server and client side, designed around the specific needs of each case.

Anyway, I thought I would put the idea out there. Hopefully there is some interest in the concept.




Archive powered by MHonArc 2.6.19.

Top of Page