firefox will send
its own DNS queries over the socks proxy.
-Original Message-
From: Patrick W. Gilmore [mailto:patr...@ianai.net]
Sent: Sunday, February 14, 2010 11:42 AM
To: North American Network Operators Group
Subject: Re: dns interceptors
On Feb 14, 2010, at 12:37 PM, Jason Fri
On Sun, 14 Feb 2010 18:59:56 EST, Steven Bellovin said:
> Yes -- and as a reward for your expertise, you get to explain the
> problem with a transparent DNS proxy to the judge. For bonus points,
> explain it to a jury
The transparent DNS proxies aren't the problem. It's the translucent ones
I like Ben Goldacre's take on stupid email disclaimers:
"READ CAREFULLY. By reading this email, you agree, on behalf of your
employer, to release me from all obligations and waivers arising from any
and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap,
clickwrap, browsewrap, c
Am 15.02.2010 um 04:29 schrieb Randy Bush:
> and i presume i have to dump all client.crt files in the server's
> ../openvpn dir, but under what names? or does it just wantonly trust
> anyone under that ca?
Any cert signed by that CA. Use --cclient-config-dir to limit which CNs are
acceptable,
Randy Bush wrote:
just normal certs can be text, pem, der, ...
randy
Randy,
pem format.
>> having probs with certs, i.e. what --outform it wants.
> They are just normal cert's
just normal certs can be text, pem, der, ...
randy
>> having probs with certs, i.e. what --outform it wants. not finding in
>> docs. tried raw, but now guessing pem. same for client and server
> Use the easy-rsa stuff and it will do all the hard work for you.
> http://openvpn.net/index.php/open-source/documentation/howto.html
we have a pki we k
On Sun, Feb 14, 2010 at 7:29 PM, Randy Bush wrote:
> end user to network
>
> having probs with certs, i.e. what --outform it wants. not finding in
> docs. tried raw, but now guessing pem. same for client and server
Use the easy-rsa stuff and it will do all the hard work for you.
http://openvp
Yes. Easy rsa is the way to go.
They are normal certs. Check the scripts if you want to roll your own openssl
wrapper scripts.
--Original Message--
From: Larry Brower
To: nanog@nanog.org
Subject: Re: dns interceptors
Sent: Feb 14, 2010 7:44 PM
Randy Bush wrote:
> end user to netw
Randy Bush wrote:
end user to network
having probs with certs, i.e. what --outform it wants. not finding in
docs. tried raw, but now guessing pem. same for client and server
server
ca.crt
server.crt
server.key
client
ca.crt
client.crt
client.key
and i presume i have to dump all
end user to network
having probs with certs, i.e. what --outform it wants. not finding in
docs. tried raw, but now guessing pem. same for client and server
server
ca.crt
server.crt
server.key
client
ca.crt
client.crt
client.key
and i presume i have to dump all client.crt files in
l its vital for folks to have a deep familiarity with
openvpn and best practices etc.
--Original Message--
From: Randy Bush
To: Charles Wyble
Cc: nanog@nanog.org
Subject: Re: dns interceptors
Sent: Feb 14, 2010 7:10 PM
> I run openvpn on my linux box to do exactly that.
i am in the
> I run openvpn on my linux box to do exactly that.
i am in the midst of setting up some openvpn servers now, westin,
ashburn, tokyo, but westin first. having problems sorting in what
--outform it wants the bleeping certs.
randy
On Feb 14, 2010, at 6:54 PM, Mark Andrews wrote:
>
> In message , Sean
> Donel
> an writes:
>> On Sun, 14 Feb 2010, Randy Bush wrote:
ssh tunnels to IP address
>>> i am often on funky networks in funky places. e.g. the wireless in
>>> changi really sucked friday night. if i ssh tunneled,
In message , Sean Donel
an writes:
> On Sun, 14 Feb 2010, Randy Bush wrote:
> >> ssh tunnels to IP address
> > i am often on funky networks in funky places. e.g. the wireless in
> > changi really sucked friday night. if i ssh tunneled, it would multiply
> > the suckiness as tcp would have puked
On Sun, 14 Feb 2010, Randy Bush wrote:
ssh tunnels to IP address
i am often on funky networks in funky places. e.g. the wireless in
changi really sucked friday night. if i ssh tunneled, it would multiply
the suckiness as tcp would have puked at the loss rate.
smb whacked me that i should use n
>Hrm.. Maybe I misunderstood. Are the packets being intercepted, or
>is the problem the local resolvers?
Both, probably. Hotel networks often intercept all port 53 traffic not
out of malice, but so that they won't get support calls from people whose
PCs have poorly configured DNS often pointing
Larry Sheldon(larryshel...@cox.net)@Sun, Feb 14, 2010 at 11:54:25AM -0600:
> On 2/14/2010 11:42 AM, Patrick W. Gilmore wrote:
> > On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
> >> On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
> >>> i am often on funky networks in funky places. e.g. the wir
I run openvpn on my linux box to do exactly that. Already running
apache/bind/postfix/xmpp with legacy Im bridges so adding openvpn was a logical
next step.
#protip run it on port 443. :) makes it much easier to get around firewalls.
Even with deep packet inspection, SSL traffic is expected o
On Feb 14, 2010, at 12:53 PM, Jason Frisvold wrote:
> On Feb 14, 2010, at 12:42 PM, Patrick W. Gilmore wrote:
>> How does that help? It still sends port 53 requests to the authorities,
>> which will be intercepted.
>
> Hrm.. Maybe I misunderstood. Are the packets being intercepted, or is the
On 2/14/2010 11:42 AM, Patrick W. Gilmore wrote:
> On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
>> On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
>>> i am often on funky networks in funky places. e.g. the wireless in
>>> changi really sucked friday night. if i ssh tunneled, it would multip
On Feb 14, 2010, at 12:42 PM, Patrick W. Gilmore wrote:
> How does that help? It still sends port 53 requests to the authorities,
> which will be intercepted.
Hrm.. Maybe I misunderstood. Are the packets being intercepted, or is the
problem the local resolvers?
Well, in either case, another
On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
> On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
>> i am often on funky networks in funky places. e.g. the wireless in
>> changi really sucked friday night. if i ssh tunneled, it would multiply
>> the suckiness as tcp would have puked at the los
On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
> i am often on funky networks in funky places. e.g. the wireless in
> changi really sucked friday night. if i ssh tunneled, it would multiply
> the suckiness as tcp would have puked at the loss rate.
You can always run your own local resolver... O
On Sat, 13 Feb 2010 17:53:19 EST, Dean Anderson said:
(One of these days, somebody will find a way to correct things for the benefit
of those googling and reading the thread in the list archives in the future,
without feeding the trolls)
> Robert Bonomi appears to have no valid premise of first s
IMPORTANT: This email remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
CRIMES ACT 1914. If you have received this email in error, you are
requested to contact the sender and delete the email.
NOTICE: This communication may co
> IMPORTANT: This email remains the property of the Australian Defence
> Organisation and is subject to the jurisdiction of section 70 of the
> CRIMES ACT 1914. If you have received this email in error, you are
> requested to contact the sender and delete the email.
you have sent a message to me
> ssh tunnels to IP address
i am often on funky networks in funky places. e.g. the wireless in
changi really sucked friday night. if i ssh tunneled, it would multiply
the suckiness as tcp would have puked at the loss rate.
smb whacked me that i should use non-tcp tunnels.
randy
[ getting afield from 'operational' issues, off-list responses recommended ]
> From: Barry Shein
> Date: Sat, 13 Feb 2010 13:43:17 -0500
> Subject: Re: dns interceptors [SEC=UNCLASSIFIED]
>
> On February 13, 2010 at 12:12 valdis.kletni...@vt.edu
> (valdis.kletni..
On February 13, 2010 at 12:12 valdis.kletni...@vt.edu (valdis.kletni...@vt.edu)
wrote:
> On Sat, 13 Feb 2010 12:02:48 +0800, "Wilkinson, Alex" said:
>
> > IMPORTANT: This email remains the property of the Australian Defence
> > Organisation
>
> Have fun trying to enforce that after post
On Sat, 13 Feb 2010 12:02:48 +0800, "Wilkinson, Alex" said:
> IMPORTANT: This email remains the property of the Australian Defence
> Organisation
Have fun trying to enforce that after posting to a public mailing list
in North America, with recipients all over the world. Care to cite any
relevan
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/02/2010 22:35, Jim Richardson wrote:
>> what are other roaming folk doing about this?
> ssh tunnels to IP address
Just to add that openssh and putty both provide a SOCKS proxy which
some might find more straightforward to use for multiple protoc
Transparent dns rewriter inline on the network
On 2/12/10, Wilkinson, Alex wrote:
>
> 0n Sat, Feb 13, 2010 at 06:15:02AM +0800, Randy Bush wrote:
>
> >i just lost ten minutes debugging what i thought was a server problem
> >which turned out to be a dns trapper on the wireless in the c
>Whats a "dns trapper" ?
A "transparent" proxy that intercepts DNS requests and provides edited
results intended to improve your customer experience, typically
defined as returning A records for web servers full of advertisements
when you were expecting something else.
The unfortunate fact is tha
0n Sat, Feb 13, 2010 at 06:15:02AM +0800, Randy Bush wrote:
>i just lost ten minutes debugging what i thought was a server problem
>which turned out to be a dns trapper on the wireless in the changi sats
>lounge. this is not the first time i have been caught by this.
Whats a "d
On Fri, 12 Feb 2010 17:32:33 -0500
Jared Mauch wrote:
>
> On Feb 12, 2010, at 5:15 PM, Randy Bush wrote:
>
> > i just lost ten minutes debugging what i thought was a server
> > problem which turned out to be a dns trapper on the wireless in the
> > changi sats lounge. this is not the first tim
Jim Richardson wrote:
> On Fri, Feb 12, 2010 at 2:15 PM, Randy Bush wrote:
>> i just lost ten minutes debugging what i thought was a server problem
>> which turned out to be a dns trapper on the wireless in the changi sats
>> lounge. this is not the first time i have been caught by this.
>>
>> wh
Jared Mauch wrote:
> On Feb 12, 2010, at 5:15 PM, Randy Bush wrote:
>
>> i just lost ten minutes debugging what i thought was a server problem
>> which turned out to be a dns trapper on the wireless in the changi sats
>> lounge. this is not the first time i have been caught by this.
>>
>> what ar
On Fri, Feb 12, 2010 at 2:15 PM, Randy Bush wrote:
> i just lost ten minutes debugging what i thought was a server problem
> which turned out to be a dns trapper on the wireless in the changi sats
> lounge. this is not the first time i have been caught by this.
>
> what are other roaming folk doi
On Feb 12, 2010, at 5:15 PM, Randy Bush wrote:
> i just lost ten minutes debugging what i thought was a server problem
> which turned out to be a dns trapper on the wireless in the changi sats
> lounge. this is not the first time i have been caught by this.
>
> what are other roaming folk doing
40 matches
Mail list logo
