[dnssec-deployment] test.mx. online signing
Dan Mahoney, System Admin
danm at prime.gushi.org
Tue May 8 01:16:43 EDT 2007
On Mon, 7 May 2007, Paul Vixie wrote:
>>> in a hotel, you've gotta vpn your dns traffic back to a server you trust.
>>
>> That would be the dnssec-enabled caching recursive nameserver running
>> on 127.0.0.1?
>
> won't help. udp/53 is trapped by the hotel and sent to NAT purgatory.
> doesn't matter whether you're using EDNS or not, TSIG or not, DNSSEC or
> not, large packets, small packets, IPv4, IPv6. they want to be able to
> send you a fake response indicating that the A RR of wherever you were
> going is actually some RFC 1918 proxy that they control. often, if you
> don't ask an A RR question, they don't even send you an answer.
Very often until you go to that fake redirect page and agree to some
billing policy or whatnot, you're effectively totally blocked from all
traffic, and I've even seen cases that say "if you're not making DNS
queries, you must magically be not-really-online, so expire the cookie
that's letting you be online"
Personally, considering my philosophy of "just ssh somewhere and work from
there" I've found it rather counterproductive to have to open a browser
every two hours because the proxy server thinks I must be dead.
-Dan
> if you want DNS to work, you have to protect your hotel-originated udp/53
> traffic by putting it into a secure tunnel of some kind. generally hotels
> do not interfere with TCP/443 (SSL HTTP) since they fear reprisals from
> the fortune 1000 who generate nontrivial revenue that way, and whose
> employees use it while travelling in order to reach corporate MS/Exchange
> servers. SSL isn't something hotels can intercept unless they send their
> own certificate using somebody else's domain names, which i've seen done
> outside the US but not anywhere that FTC holds sway. so when i'm travelling
> i'm prepared with various unixy tools that open ip tunnels inside TCP/443
> with normal SSL covering. my dns traffic is never seen. ymmv.
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>
>
--
"There is no right and wrong, there is only fun and boring."
-Fisher Stevens, "Hackers"
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
More information about the Dnssec-deployment
mailing list