queries over the socks proxy.
-Original Message-
From: Patrick W. Gilmore [mailto:patr...@ianai.net]
Sent: Sunday, February 14, 2010 11:42 AM
To: North American Network Operators Group
Subject: Re: dns interceptors
On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
On Feb 13, 2010, at 4:58
I like Ben Goldacre's take on stupid email disclaimers:
READ CAREFULLY. By reading this email, you agree, on behalf of your
employer, to release me from all obligations and waivers arising from any
and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap,
clickwrap, browsewrap,
On Sun, 14 Feb 2010 18:59:56 EST, Steven Bellovin said:
Yes -- and as a reward for your expertise, you get to explain the
problem with a transparent DNS proxy to the judge. For bonus points,
explain it to a jury
The transparent DNS proxies aren't the problem. It's the translucent ones
On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
i am often on funky networks in funky places. e.g. the wireless in
changi really sucked friday night. if i ssh tunneled, it would multiply
the suckiness as tcp would have puked at the loss rate.
You can always run your own local resolver... Or
On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
i am often on funky networks in funky places. e.g. the wireless in
changi really sucked friday night. if i ssh tunneled, it would multiply
the suckiness as tcp would have puked at the loss
On Feb 14, 2010, at 12:42 PM, Patrick W. Gilmore wrote:
How does that help? It still sends port 53 requests to the authorities,
which will be intercepted.
Hrm.. Maybe I misunderstood. Are the packets being intercepted, or is the
problem the local resolvers?
Well, in either case, another
On 2/14/2010 11:42 AM, Patrick W. Gilmore wrote:
On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
i am often on funky networks in funky places. e.g. the wireless in
changi really sucked friday night. if i ssh tunneled, it would multiply
the
On Feb 14, 2010, at 12:53 PM, Jason Frisvold wrote:
On Feb 14, 2010, at 12:42 PM, Patrick W. Gilmore wrote:
How does that help? It still sends port 53 requests to the authorities,
which will be intercepted.
Hrm.. Maybe I misunderstood. Are the packets being intercepted, or is the
I run openvpn on my linux box to do exactly that. Already running
apache/bind/postfix/xmpp with legacy Im bridges so adding openvpn was a logical
next step.
#protip run it on port 443. :) makes it much easier to get around firewalls.
Even with deep packet inspection, SSL traffic is expected
Larry Sheldon(larryshel...@cox.net)@Sun, Feb 14, 2010 at 11:54:25AM -0600:
On 2/14/2010 11:42 AM, Patrick W. Gilmore wrote:
On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
i am often on funky networks in funky places. e.g. the wireless in
Hrm.. Maybe I misunderstood. Are the packets being intercepted, or
is the problem the local resolvers?
Both, probably. Hotel networks often intercept all port 53 traffic not
out of malice, but so that they won't get support calls from people whose
PCs have poorly configured DNS often pointing
I run openvpn on my linux box to do exactly that.
i am in the midst of setting up some openvpn servers now, westin,
ashburn, tokyo, but westin first. having problems sorting in what
--outform it wants the bleeping certs.
randy
vital for folks to have a deep familiarity with
openvpn and best practices etc.
--Original Message--
From: Randy Bush
To: Charles Wyble
Cc: nanog@nanog.org
Subject: Re: dns interceptors
Sent: Feb 14, 2010 7:10 PM
I run openvpn on my linux box to do exactly that.
i am in the midst
end user to network
having probs with certs, i.e. what --outform it wants. not finding in
docs. tried raw, but now guessing pem. same for client and server
server
ca.crt
server.crt
server.key
client
ca.crt
client.crt
client.key
and i presume i have to dump all client.crt files
Randy Bush wrote:
end user to network
having probs with certs, i.e. what --outform it wants. not finding in
docs. tried raw, but now guessing pem. same for client and server
server
ca.crt
server.crt
server.key
client
ca.crt
client.crt
client.key
and i presume i have to dump
Yes. Easy rsa is the way to go.
They are normal certs. Check the scripts if you want to roll your own openssl
wrapper scripts.
--Original Message--
From: Larry Brower
To: nanog@nanog.org
Subject: Re: dns interceptors
Sent: Feb 14, 2010 7:44 PM
Randy Bush wrote:
end user to network
On Sun, Feb 14, 2010 at 7:29 PM, Randy Bush ra...@psg.com wrote:
end user to network
having probs with certs, i.e. what --outform it wants. not finding in
docs. tried raw, but now guessing pem. same for client and server
Use the easy-rsa stuff and it will do all the hard work for you.
having probs with certs, i.e. what --outform it wants. not finding in
docs. tried raw, but now guessing pem. same for client and server
Use the easy-rsa stuff and it will do all the hard work for you.
http://openvpn.net/index.php/open-source/documentation/howto.html
we have a pki we know
having probs with certs, i.e. what --outform it wants.
They are just normal cert's
just normal certs can be text, pem, der, ...
randy
Randy Bush wrote:
just normal certs can be text, pem, der, ...
randy
Randy,
pem format.
Am 15.02.2010 um 04:29 schrieb Randy Bush:
and i presume i have to dump all client.crt files in the server's
../openvpn dir, but under what names? or does it just wantonly trust
anyone under that ca?
Any cert signed by that CA. Use --cclient-config-dir to limit which CNs are
acceptable,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/02/2010 22:35, Jim Richardson wrote:
what are other roaming folk doing about this?
ssh tunnels to IP address
Just to add that openssh and putty both provide a SOCKS proxy which
some might find more straightforward to use for multiple
On Sat, 13 Feb 2010 12:02:48 +0800, Wilkinson, Alex said:
IMPORTANT: This email remains the property of the Australian Defence
Organisation
Have fun trying to enforce that after posting to a public mailing list
in North America, with recipients all over the world. Care to cite any
relevant
On February 13, 2010 at 12:12 valdis.kletni...@vt.edu (valdis.kletni...@vt.edu)
wrote:
On Sat, 13 Feb 2010 12:02:48 +0800, Wilkinson, Alex said:
IMPORTANT: This email remains the property of the Australian Defence
Organisation
Have fun trying to enforce that after posting to a
[ getting afield from 'operational' issues, off-list responses recommended ]
From: Barry Shein b...@world.std.com
Date: Sat, 13 Feb 2010 13:43:17 -0500
Subject: Re: dns interceptors [SEC=UNCLASSIFIED]
On February 13, 2010 at 12:12 valdis.kletni...@vt.edu
(valdis.kletni...@vt.edu) wrote
ssh tunnels to IP address
i am often on funky networks in funky places. e.g. the wireless in
changi really sucked friday night. if i ssh tunneled, it would multiply
the suckiness as tcp would have puked at the loss rate.
smb whacked me that i should use non-tcp tunnels.
randy
IMPORTANT: This email remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
CRIMES ACT 1914. If you have received this email in error, you are
requested to contact the sender and delete the email.
you have sent a message to me
IMPORTANT: This email remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
CRIMES ACT 1914. If you have received this email in error, you are
requested to contact the sender and delete the email.
NOTICE: This communication may
On Sat, 13 Feb 2010 17:53:19 EST, Dean Anderson said:
(One of these days, somebody will find a way to correct things for the benefit
of those googling and reading the thread in the list archives in the future,
without feeding the trolls)
Robert Bonomi appears to have no valid premise of first
On Feb 12, 2010, at 5:15 PM, Randy Bush wrote:
i just lost ten minutes debugging what i thought was a server problem
which turned out to be a dns trapper on the wireless in the changi sats
lounge. this is not the first time i have been caught by this.
what are other roaming folk doing
On Fri, Feb 12, 2010 at 2:15 PM, Randy Bush ra...@psg.com wrote:
i just lost ten minutes debugging what i thought was a server problem
which turned out to be a dns trapper on the wireless in the changi sats
lounge. this is not the first time i have been caught by this.
what are other roaming
Jared Mauch wrote:
On Feb 12, 2010, at 5:15 PM, Randy Bush wrote:
i just lost ten minutes debugging what i thought was a server problem
which turned out to be a dns trapper on the wireless in the changi sats
lounge. this is not the first time i have been caught by this.
what are other
Jim Richardson wrote:
On Fri, Feb 12, 2010 at 2:15 PM, Randy Bush ra...@psg.com wrote:
i just lost ten minutes debugging what i thought was a server problem
which turned out to be a dns trapper on the wireless in the changi sats
lounge. this is not the first time i have been caught by this.
On Fri, 12 Feb 2010 17:32:33 -0500
Jared Mauch ja...@puck.nether.net wrote:
On Feb 12, 2010, at 5:15 PM, Randy Bush wrote:
i just lost ten minutes debugging what i thought was a server
problem which turned out to be a dns trapper on the wireless in the
changi sats lounge. this is not
0n Sat, Feb 13, 2010 at 06:15:02AM +0800, Randy Bush wrote:
i just lost ten minutes debugging what i thought was a server problem
which turned out to be a dns trapper on the wireless in the changi sats
lounge. this is not the first time i have been caught by this.
Whats a dns
Whats a dns trapper ?
A transparent proxy that intercepts DNS requests and provides edited
results intended to improve your customer experience, typically
defined as returning A records for web servers full of advertisements
when you were expecting something else.
The unfortunate fact is that if
Transparent dns rewriter inline on the network
On 2/12/10, Wilkinson, Alex alex.wilkin...@dsto.defence.gov.au wrote:
0n Sat, Feb 13, 2010 at 06:15:02AM +0800, Randy Bush wrote:
i just lost ten minutes debugging what i thought was a server problem
which turned out to be a dns
37 matches
Mail list logo
