Another approach would be to change the source of the resolver (after all this is OSS, thus it is available in the source repo) to do this.
But I agree with Carlos that there will be much more DNS lookups then you probably expect.
And writing such code needs a thourough design first. What to do with entries that are already there. What when a different IP address is given then the one in an already existing entry, etc. Most answers to these will be obvious, but it must all be coded.
I find it very hard to believe they can block tor.
If so, then their filtering system is <very> sophisticated and possibly very costly (very unlikely).
This is one of the things the NSA is very unhappy about… They can’t filter tor using common methods which work on other obfuscated protocols and methods.
More than likely they will block you from accessing the tor website to download the tor bundle, but if you can download and install from another source, once the tor bundle is on your machine they can’t block you… Well, very, very unlikely.
On 2014-07-10 17:09, Larry Finger wrote:
> On 07/10/2014 06:26 AM, hcvv wrote:
> No easy way, but one could write a program that monitored the network
> traffic using tcpdump, and matched every nameserver lookup with the
> response, and added every new one to the hosts file. That would
> certainly not be easy. In addition, if you did it badly, you would
> consume the entire computer every time you opened a new web site with a
> lot of ads.
I once used something to dump to a file or display what bind had in
memory… but I can’t find again how I did it.
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
> More than likely they will block you from accessing the tor website to
> download the tor bundle, but if you can download and install from
> another source, once the tor bundle is on your machine they can’t block
> you… Well, very, very unlikely.
But tor needs solving some names for starting, and they are blocking
dns. Once tor is running, it should keep running.
Or does tor know what addresses to reach to start service without asking
dns? It could be… :-?
I don’t know much about tor internals, but emule has first to download
some lists from known addresses, to get a list of “list servers”:
machines that simply store lists of files and where they were seen last,
and lists of peers connected to the network.
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
tor does not need local DNS.
I haven’t looked at how does this, but I suspect some default addresses are embedded in the bundle just to get started. Once it reaches a valid and responding node, it downloads a more current list of gateway nodes (which is always changing). Because the connection is encrypted, it wouldn’t be easy for someone to filter the content for those seed nodes.
Is probably a variation on what you’d see if you ever saw how RH/CentOS/Fedora repositories are configured and accessed.
> Yes, they block tor, DNS, etc. If you’ve been taking note, then you
> would notice that I’ve been interested in the kernel for some time, but
> guess what, IRC is blocked too, yipe! (if you don’t want 900 messages
> per week in your email box then you use IRC to kernel.org to talk to
> people.) I’m not quite sure why they block what they block, it seems
> almost haphazard (but the blocking of ports is defiantly preplanned.)
> I guessed that if I set up a DNS server on my machine then I’d be at a
> much greater risk for getting incorrect routing info because I visit
> more then one access point. I’d also have to deal with theirs and others
> DNS servers not having the entry at all.
I suspect that they get a list of the computers running tor (on top of the fact that they block most of the ports so only a few tor nodes would get through in the best case scenario.) Either that or the nodes don’t like my computer. They also block the tor website.
I seriously doubt that ip addresses of servers change frequently though so that’s why I thought that using a static until proven bad cache in /etc/hosts was a good idea.
On 2014-07-16 16:16, tsu2 wrote:
> robin_listas;2653841 Wrote:
>> Have a look at this mail thread.
>> Apparently, his ISP, sprint, blocks and/or intercepts all dns queries to
>> other dns servers, so that you are forced to use the ISP own dns servers
>> only. And they modify the results adding adds.
>> So he needs getting DNS data without his ISP meddling. Basically the
>> same problem as yours, but in his case, more insane.
There has been proposed a solution in there, to get DNS data via another
port and daemon, a tunel to opendns, I think. If that solution works in
Linux, it would mean not taxing the TOR network.
> No big deal for tor.
> DNS queries are not made over the normal encrypted port, they are made
> over an encrypted connection that looks from the outside like any other
> My previous post had a finger fehler, hope people understand what I
> really meant… tor DNS queries are <not> made over an UNENCRYPTED port
> like regular DNS.
> Should not matter exactly which port, but is most likely over 443 (the
> standard ssl port). I haven’t checked the details, I’ve only observed
> what happens.
But you see, the OP has a problem, that his library actively blocks many
ports. The only port a restrictive site leaves almost always alone is #80.
> Typically, if you wanted a complete suite of apps that avoid blocking
> and grant improved anonymity, you might want to consider running tails
> on a USB stick or LiveCD
Thanks, I’ll try having a look at that, to learn what it is about. When
I get back home, that is.
Yes, robin, I did look it up, but I have as I said trouble connecting to the tor network, and I don’t really think that using tor is the greatest idea anyways, I mean, the PUBLIC libraries should not be blocking. I find no state laws saying that they are allowed to do so, or not. Therefore using tor is treating the symptom, not the cause. If I really wanted to stop the blocking I’d be talking to the electronic frontier foundation ( eff.org ) and suing, not using tor and keeping my mouth shut, I don’t have time or money for a lawsuit right now, so I access the blocked content through friends wifi points once in a while. I continue to voice my desire for an open web, but I’m afraid nothing is going to be done by just one lonesome soul out there. Normal people, when the see a blocked or error message, think of how nice it is that the computer did not crash and they can continue browsing or they just think how nice it is that the libraries have a policy to “protect” them, I’m witness to this. I’ve not tried tor in a while and I know that many nodes have been added in the recent “tor challenge” but ultimately, if people don’t fight for their freedoms then they will not have any, as can be witnessed by the current situation. If I need help with tor I’ll ask. All I wanted was to maintain a cache of servers, normally ftp, which I believe, but can’t prove, are not blocked, but rather just have their DNS info missing form the DNS servers. Your sympathy is cheering but, misplaced, this this is the USA the “Home of the FREE and the brave” I should not even have to think of tor until I move to another controlling country. If anything should be being done, tor is not it, rather the perpetrators of these ridiculous and unconstitutional blocks should be thrown in jail. Are those in charge of the blocking really capable of determining what is right to view and wrong? Are they GOD? Are they even closely intelligent enough to grasp all the sciences so that they can determine what is true/right and what is false/wrong? Education brings about all the arts (the painter can’t paint if you prevent her from learning,) ergo why do they block so many of the computer science websites? Are they trying to create an easily controlled people by preventing education except where and what they desire it? People and politicians complain about the churches preventing and controlling reason, I say, “Look who is talking!” True, some things are no-brainers, but they block a lot more then child abuse websites. They may block other things, I have not fully tested all the sites that exist out there, but my original post was about DNS errors, not blocking, let us leave the topic rest, I’m subscribed to the tor mailing list, so I can post there.