Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

I can see 443 being more widely available, but there's also a higher 
chance of it conflicting with services that the T2 servers admins may 
already be running.  Its a toss-up, for sure.  Perhaps we should just go 
through and test various methods, see what works, then give the server 
operators the option of running any or all methods.  From there, clients 
can choose which server they connect with based on what method they need 
to use to connect.


On 12/17/2011 01:18 AM, Zach Gibbens wrote:
> Been trying to apply a different concept to opennic, been studying
> DNSCrypt http://www.opendns.com/technology/dnscrypt/
> and working out how to apply it to opennic, one issue with ssh is port
> 22 is commonly blocked/filtered/meddled with (in comparison to port
> 443) I've found 5 hotspots that outright blocked port 22, and my
> college was nearly the same way.
>
> I've got my server set to listen to both, and every time 443 is fine
> (and it seems most dpi setups mistake ssh for ssl streams anyhow)
> but this takes it a step further, by making it simply a ssl tunnel to
> a dns server (I'm personally not worried about authentication at this
> moment, as client setup&  dnssec should account for most of those
> concerns at the present)
>
> On Sat, Dec 17, 2011 at 1:41 AM, Jeff Taylor<shdwdrgn AT sourpuss.net>  wrote:
> > Due to some ISPs meddling with user's DNS queries, some people have tried
> > alternate connection methods to obtain OpenNic DNS queries.  From this was
> > born the use of port 5353 (available on a few of the T2 servers), which so
> > far has resolved the issue for those who need it.  However this will not
> > always be the case, as many locations are already using packet inspection to
> > filter the information.
> >
> > Taking this to the next step, I would like to suggest we start testing out
> > dns-over-ssh.  The server side would be set up to accept logins on port 5322
> > (dns/ssh) using a public RSA key, and accept the queries via that port.  The
> > client side would create an ssh tunnel with a fifo to pipe the DNS queries
> > over SSH.  This is fairly easy from linux using ssh and socat, however
> > someone else would need to do the research on methods to do this in Windows.
> >   The nice thing about an SSH tunnel is that it eliminates the need for any
> > other special software -- once the tunnel is in place, all DNS queries from
> > all of your software will automatically be piped through the tunnel to the
> > destination of your choice.
> >
> > This could open up OpenNic to areas that have previously been blocked by
> > company or country-wide firewalls - for instance allowing someone in China
> > to set up a T2 server that could freely obtain the updated zones from other
> > locations via the ssh tunnel.  Servers could control access to their DNS by
> > only accepting ssh connections from users who have the RSA key.  Creating
> > these tunnels allows us to build customized security measures on both the
> > server and client side, designed around the specific needs of each case.
> >
> > Anyway, I thought I would put the idea out there.  Hopefully there is some
> > interest in the concept.
> > _______________________________________________
> > discuss mailing list
> > discuss AT lists.opennicproject.org
> > http://lists.darkdna.net/mailman/listinfo/discuss
> _______________________________________________
> discuss mailing list
> discuss AT lists.opennicproject.org
> http://lists.darkdna.net/mailman/listinfo/discuss