[dns-privacy] A depraved test

2015-01-12 Thread Warren Kumari 
HI there all.

I've created a quick and dirty test to try and get a better handle on
what middleboxes will do with non-DNS traffic on port 53.[0]

This is simply a webserver that listens on TCP port 80 and TCP port
53. It also includes the IP address it thinks you came from (just in
case some extra bizarre middlebox forwards all port 53 to some other
address than it NATs you to...)

Anyway, I turned it up, and pointed Chrome at
http://dpraved.snozzages.com:80/ and everything worked...
I then browsed to http://dpraved.snozzages.com:53/ and got a failure.
I figured this was a useful result - it looked like the middlebox /
NAT I was behind blocked non-DNS on TCP53... and then I looked at the
error message. Chrome was claiming:
The webpage at http://dpraved.snozzages.com:53/ might be temporarily
down or it may have moved permanently to a new web address.
Error code: ERR_UNSAFE_PORT

Odd. So I tried it in Safari, and got:
Not allowed to use restricted network port (WebKitErrorDomain:103)

Apparently browsers prevent you from browsing to some subset of ports
for some security reason (which I haven't bothered looking into). You
can override this behavior by passing some flags to the browser on the
CLI, or just use lynx, curl or wget...

Anyway, if you would like to test and see if your CPE / NAT /
middlebox futzes with non-DNS traffic on port 53, run something like:

curl  http://dpraved.snozzages.com:53

Please report back the results if you do test. I think having some
data on how well things like TLS will traverse CPE on port 53 will be
useful / interesting...

W

[0]: I decided to attend an IEEE meeting to see what they are like. I
ended up playing with dprive testing and learning 'docker'. Make of
that what you will :-)
Actually, so far it has been really interesting, and the too have cookies...

-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] A depraved test

2015-01-12 Thread Paul Hoffman 
On Jan 12, 2015, at 7:31 PM, Warren Kumari war...@kumari.net wrote:
 Please report back the results if you do test. I think having some
 data on how well things like TLS will traverse CPE on port 53 will be
 useful / interesting...

If that's what you want, then you need to run TLS on that port, not HTTP. You 
apparently aren't doing that, so people getting negative results will think 
that they are being blocked when in fact you set the test up incorrectly.

It is great that people want to do tests. Can we maybe agree to the test 
methodology before people start saying this shows that doesn't work?

--Paul Hoffman
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy