Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] SSH tunneled DNS access & SSH/SSL muxing

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] SSH tunneled DNS access & SSH/SSL muxing


Chronological Thread 
  • From: "Alex M (Coyo)" <coyo AT darkdna.net>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] SSH tunneled DNS access & SSH/SSL muxing
  • Date: Wed, 17 Apr 2013 16:06:12 -0500

Where art thou, DNSCurve, DNSCrypt, DNSSEC and DANE?

On 04/17/2013 02:53 PM, Guillaume Parent wrote:
We could start signing our updates, or integrating an ipsec infrastructure in the project. It's a lot of additional complexity to manage though.


On Wed, Apr 17, 2013 at 8:50 AM, Maximi89 <maximi89 AT gmail.com> wrote:
what about the DNS servers of OpenNIC? they transmit the data over SSH between them?, because what will happen tomorrow when they decide to block the data between all DNS or spy what they transmit?

Don't they do that already? Anyone not using encryption everywhere is stupid. Stupid.

Stupid.



2012/11/12 Peter Green <peter AT greenpete.free>

Indeed, and I hope I haven't distracted you or anyone else from your
point :-/

A censorship free D.N.S. system is indeed a worthy objective!

Have I mentioned CJDNS, yet?

DNSSEC+DANE is an absolute mandatory must, but
I'd go a step further and implement DNSCurve, and
CJDNS between nameservers (it's an overlay network, very very fast!).

A DNSCurve accelerator is here: http://curvedns.on2it.net/about

DNSCrypt may be a good idea as well. It is here: http://dnscrypt.org/

Feel Enjoy! :D



On 12/11/12 18:07, Panesar, Amrit wrote:
> Haha, indeed and so far human nature has yet to surprise me,
> people are assholes.

Surprise, surprise!

> TQP clearly doesn't care weather our data goes
> out, on to the internet, 'naked' or not. It seems that they just
> want to make a quick buck - and even in 6 years, I don't believe
> they will be able to sue every single person that has come in
> contact with their technology and further emphasizes my idea that
> software patents should be abolished :P

ALL patents should be abolished, and copyrights, too.
Trademarks and any such ilk I'd prefer abolish as well, but I'm willing to settle
for the abolition of patents and copyrights, and the disbanding of the patent office entirely.

I want to see all of them without jobs.

>
> However, we shouldn't let that deter us from considering the
> possibility of a censorship-free DNS system

I've been telling everyone that SSL/TLS sucks donkeyballs,
but not one ever listens to me, do they?

Welp. This is why I'm currently working on a new cryptosystem based
on NACL, MsgPack and ZeroMQ.

It also uses a lot of interesting projects, but I'm keeping the implementation details
close to my chest before I publish and demonstrate my proof-of-concept,
and them laugh in everyone's face at freenode and elsewhere, especially those
who ridiculed me and treated me with scorn and condescension.

They called me mad, but I'll show them. I'll show them all! *dramatic lightning pose*

> On 12/11/12 17:55, Panesar, Amrit wrote:
>> I have come across a theory for universal, direct DNS
>> especially for those behind company or country bound
>> firewalls.
>>
>> I have recently come across SSHTTP
>> (https://github.com/stealth/sshttp). This program multiplexes
>> HTTP SSL with SSH because of banners, (there is a more
>> in-depth explanation on the project page).

That's really clever!

>> What we are to do is mux a
>> clean SSL site with SSH; thus, when the firewall goes to
>> probe the site, it returns a valid site and we will also be
>> able to SSH. With the help of your favorite ssh client, we
>> can tunnel your DNS packets over SSH on port 443 and be able
>> to evade all firewalls that stand in the way thus giving
>> everyone access to OpenNIC.

O: *is speechless*

>> We can even take it a step
>> further and add a SSH client-helper to a web browser (like
>> chromium/canary) to further integrate the experience.

I nerdgasmed so hard just now. Dx

...

So, wait. any SSH-compatible client can access an ssh server masquerading as a typical HTTPS service? O:

Wouldn't that include SCP and SSHFS?

I wonder if there's a way to automagically open incoming ports on a remote SSH server that could be included TRIVIALLY as a standard proxy option in any foss application?

(think XChat. Pidgin, Firefox/Thunderbird or Ekiga)

That would be COOL, and should be something trivial to implement.

Heck, I could do it in python fairly easily.



Archive powered by MHonArc 2.6.19.

Top of Page