i just lost ten minutes debugging what i thought was a server problem which turned out to be a dns trapper on the wireless in the changi sats lounge. this is not the first time i have been caught by this. what are other roaming folk doing about this? randy
On Feb 12, 2010, at 5:15 PM, Randy Bush wrote:
i just lost ten minutes debugging what i thought was a server problem which turned out to be a dns trapper on the wireless in the changi sats lounge. this is not the first time i have been caught by this.
what are other roaming folk doing about this?
randy
I typically VPN out of broken networks whenever possible. Operate a VPN/PPTP/IPSEC/squid-proxy/ssh on tcp/80/443 to work around the issues. - Jared
Jared Mauch wrote:
On Feb 12, 2010, at 5:15 PM, Randy Bush wrote:
i just lost ten minutes debugging what i thought was a server problem which turned out to be a dns trapper on the wireless in the changi sats lounge. this is not the first time i have been caught by this.
what are other roaming folk doing about this?
randy
I typically VPN out of broken networks whenever possible.
Operate a VPN/PPTP/IPSEC/squid-proxy/ssh on tcp/80/443 to work around the issues.
Yep... On Windows laptop, a wrapper .bat sets up Putty (SSH) to configure a tunnel to a remote server, and for FBSD, an sh script with the SSH command line within. Depending on the situation, the tunnel may handle all core protocols, even 587 when it has been hijacked/blocked. Steve
On Fri, 12 Feb 2010 17:32:33 -0500 Jared Mauch <jared@puck.nether.net> wrote:
On Feb 12, 2010, at 5:15 PM, Randy Bush wrote:
i just lost ten minutes debugging what i thought was a server problem which turned out to be a dns trapper on the wireless in the changi sats lounge. this is not the first time i have been caught by this.
what are other roaming folk doing about this?
randy
I typically VPN out of broken networks whenever possible.
Operate a VPN/PPTP/IPSEC/squid-proxy/ssh on tcp/80/443 to work around the issues.
- Jared
Yep, this is what I do as well. It's a little disappointing that you have to tunnel into a trusted network in order to prevent shenanigans like that, but it seems to be the way things are. -- Bill Thompson BillT@Mahagonny.com
On Fri, Feb 12, 2010 at 2:15 PM, Randy Bush <randy@psg.com> wrote:
i just lost ten minutes debugging what i thought was a server problem which turned out to be a dns trapper on the wireless in the changi sats lounge. this is not the first time i have been caught by this.
what are other roaming folk doing about this?
randy
ssh tunnels to IP address -- http://neon-buddha.net
Jim Richardson wrote:
On Fri, Feb 12, 2010 at 2:15 PM, Randy Bush <randy@psg.com> wrote:
i just lost ten minutes debugging what i thought was a server problem which turned out to be a dns trapper on the wireless in the changi sats lounge. this is not the first time i have been caught by this.
what are other roaming folk doing about this?
randy
ssh tunnels to IP address
I sent this directly to Randy, but perhaps there are others who are interested in doing this as well. For the archives (and my own documentation): My DNS server doesn't listen on localhost (a prereq), so I'll use submit port instead: # on the roaming laptop (hereinafter 'client') # -f == run in background # steve@host is the submit server # -L means map this port "587:" to "remote-host:port" # -N means do not execute remote command client# ssh -f steve@208.70.104.210 -L 587:208.70.104.210:587 -N ...now I tell my local resolver (or in this case, my MUA) to use localhost instead of the normal remote host. Note that I generally use the standard ports on my localhost for this mapping. Doing so will not work for things like HTTP etc, as we are focused squarely on accessing resources located on our own equipment... ...SSH tunnelling even works over v6. The colon-separated address isn't handled well within the port-mapping portion of the command, so we'll use names instead: pearl# dig aaaa smtp.ibctech.ca smtp.ibctech.ca. 3598 IN AAAA 2607:f118::b6 ... client# ssh -6 -f steve@smtp.ibctech.ca -L 587:smtp.ibctech.ca:587 -N server# tcpdump -n -i lo0 port 587 client# telnet ::1 587 Trying ::1... Connected to localhost. Escape character is '^]'. 220 smtp.ibctech.ca ESMTP server# tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes 19:01:20.529444 IP6 2607:f118::b6.59842 > 2607:f118::b6.587: S 4152936854:4152936854(0) win 65535 <mss 1440,nop,wscale 3,sackOK,timestamp 3135691171 0> 19:01:20.529497 IP6 2607:f118::b6.587 > 2607:f118::b6.59842: S 3425118408:3425118408(0) ack 4152936855 win 65535 <mss 1440,nop,wscale 3,sackOK,timestamp 322067125 3135691171> 19:01:20.529532 IP6 2607:f118::b6.59842 > 2607:f118::b6.587: . ack 1 win 8211 <nop,nop,timestamp 3135691171 322067125> 19:01:20.535727 IP6 2607:f118::b6.587 > 2607:f118::b6.59842: P 1:28(27) ack 1 win 8211 <nop,nop,timestamp 322067131 3135691171> 19:01:20.635335 IP6 2607:f118::b6.59842 > 2607:f118::b6.587: . ack 28 win 8211 <nop,nop,timestamp 3135691277 322067131> ...I love easy workarounds. I got sick and tired of fscking around a long time ago with troubleshooting blocked/hijacked ports, so I thought I'd bypass the problem by hijacking and re-routing the ports myself. Port tunnelling like this is my default whenever I'm not at home. Even on Windows its easy...all my apps are portable. Steve
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/02/2010 22:35, Jim Richardson wrote:
what are other roaming folk doing about this? ssh tunnels to IP address
Just to add that openssh and putty both provide a SOCKS proxy which some might find more straightforward to use for multiple protocols. $ ssh -D 1080 myserver.example.net and then point your browser/MUA/etc at localhost:1080 (there's possibly a SOCKS option to tick, somewhere). Connections will then tunnel to and emerge from myserver.example.net. HTH, p.s. and for more proxy fun, try the FoxyProxy extension for Firefox if you have a few of these to juggle. - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkt2eLUACgkQ2NPq7pwWBt5xHQCg2kKp2ElkfDnTpltLQzjQma60 JfYAn3lLcs961VJASI8zLkv1h9c5AvOy =OYuP -----END PGP SIGNATURE-----
On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
i am often on funky networks in funky places. e.g. the wireless in changi really sucked friday night. if i ssh tunneled, it would multiply the suckiness as tcp would have puked at the loss rate.
You can always run your own local resolver... Or is there a reason that's unacceptable?
smb whacked me that i should use non-tcp tunnels.
randy
-- Jason 'XenoPhage' Frisvold XenoPhage0@gmail.com http://blog.godshell.com
On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
i am often on funky networks in funky places. e.g. the wireless in changi really sucked friday night. if i ssh tunneled, it would multiply the suckiness as tcp would have puked at the loss rate.
You can always run your own local resolver... Or is there a reason that's unacceptable?
How does that help? It still sends port 53 requests to the authorities, which will be intercepted. -- TTFN, patrick
smb whacked me that i should use non-tcp tunnels.
randy
-- Jason 'XenoPhage' Frisvold XenoPhage0@gmail.com http://blog.godshell.com
On Feb 14, 2010, at 12:42 PM, Patrick W. Gilmore wrote:
How does that help? It still sends port 53 requests to the authorities, which will be intercepted.
Hrm.. Maybe I misunderstood. Are the packets being intercepted, or is the problem the local resolvers? Well, in either case, another option would be to use something like openvpn, cisco vpn, etc. with very limited routes. Set it up so only your dns traffic is sent over the tunnel. Then you can still use the local network, crappy as it may be, without having to deal with the added overhead of ssh and the like.
-- TTFN, patrick
-- Jason 'XenoPhage' Frisvold XenoPhage0@gmail.com http://blog.godshell.com
On Feb 14, 2010, at 12:53 PM, Jason Frisvold wrote:
On Feb 14, 2010, at 12:42 PM, Patrick W. Gilmore wrote:
How does that help? It still sends port 53 requests to the authorities, which will be intercepted.
Hrm.. Maybe I misunderstood. Are the packets being intercepted, or is the problem the local resolvers?
While I admit I have not read every post in the thread, I note the subject line. :)
Well, in either case, another option would be to use something like openvpn, cisco vpn, etc. with very limited routes. Set it up so only your dns traffic is sent over the tunnel. Then you can still use the local network, crappy as it may be, without having to deal with the added overhead of ssh and the like.
ISTM Randy's comment about SSH tunnels would have the same effect. -- TTFN, patrick
Hrm.. Maybe I misunderstood. Are the packets being intercepted, or is the problem the local resolvers?
Both, probably. Hotel networks often intercept all port 53 traffic not out of malice, but so that they won't get support calls from people whose PCs have poorly configured DNS often pointing at caches that won't accept requests from random places. Of course, once they do that, it's hard to resist the pressure from the marketers to Enance their User Experience. R's, John
On 2/14/2010 11:42 AM, Patrick W. Gilmore wrote:
On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
i am often on funky networks in funky places. e.g. the wireless in changi really sucked friday night. if i ssh tunneled, it would multiply the suckiness as tcp would have puked at the loss rate.
You can always run your own local resolver... Or is there a reason that's unacceptable?
How does that help? It still sends port 53 requests to the authorities, which will be intercepted.
I don't have access to a trustable network to tunnel to. (Or at least I don't know how to.) I wish some enteprenure would start a subscription service to provide honest DNS (and maybe authenticatrd outbound email) that I could point to regardless of to where I may have wandered. -- "Government big enough to supply everything you need is big enough to take everything you have." Remember: The Ark was built by amateurs, the Titanic by professionals. Requiescas in pace o email Ex turpi causa non oritur actio Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs http://tinyurl.com/7tp8ml
Larry Sheldon(LarrySheldon@cox.net)@Sun, Feb 14, 2010 at 11:54:25AM -0600:
On 2/14/2010 11:42 AM, Patrick W. Gilmore wrote:
On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
i am often on funky networks in funky places. e.g. the wireless in changi really sucked friday night. if i ssh tunneled, it would multiply the suckiness as tcp would have puked at the loss rate.
You can always run your own local resolver... Or is there a reason that's unacceptable?
How does that help? It still sends port 53 requests to the authorities, which will be intercepted.
I don't have access to a trustable network to tunnel to. (Or at least I don't know how to.)
http://www.cotse.net/ provides that kind of service at a pretty reasonable price. I have no financial interest in that service. I know the guy who runs it, and I've used the service before and been really happy with it. -- Bill Weiss
While not covering all apps you may want to use, it does work for at least Firefox when web browsing (works on non-windows too) when using an ssh socks proxy Go to the address about:config filter for "dns" toggle "network.proxy.socks_remote_dns" to "true" and then firefox will send its own DNS queries over the socks proxy. -----Original Message----- From: Patrick W. Gilmore [mailto:patrick@ianai.net] Sent: Sunday, February 14, 2010 11:42 AM To: North American Network Operators Group Subject: Re: dns interceptors On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
i am often on funky networks in funky places. e.g. the wireless in changi really sucked friday night. if i ssh tunneled, it would multiply the suckiness as tcp would have puked at the loss rate.
You can always run your own local resolver... Or is there a reason that's unacceptable?
How does that help? It still sends port 53 requests to the authorities, which will be intercepted. -- TTFN, patrick
smb whacked me that i should use non-tcp tunnels.
randy
-- Jason 'XenoPhage' Frisvold XenoPhage0@gmail.com http://blog.godshell.com
On Sun, 14 Feb 2010, Randy Bush wrote:
ssh tunnels to IP address i am often on funky networks in funky places. e.g. the wireless in changi really sucked friday night. if i ssh tunneled, it would multiply the suckiness as tcp would have puked at the loss rate. smb whacked me that i should use non-tcp tunnels.
Their network, their rules; your network, your rules; my network, my rules. If you visit lots of funky places, its probably time to learn about tunnelling protocols. If you don't like their network rules, tunnel to a different network with rules you prefer. Ports 80/443 seem to work as the universal tunnelling ports, along with SSH, VPN, PPTP, IPnIP/IPSEC, etc. Sometimes proxy-tunnel software which encapsulates packets inside HTTP works. AOL and SKYPE seem to successfully tunnel through a lot of stuff. Of course, if you are on a network which doesn't want allow tunnels, e.g. an internal enterprise network, you may not want to do that. Per-application stuff work sometimes (DNSSEC/TSIG-forwarders, HTTPS, etc), but when allowed I immediately create a tunnel and don't spend time debugging local networks. Some people always use tunnels even when using networks such as the NANOG or IETF conference networks.
In message <alpine.GSO.2.00.1002141746410.9929@clifden.donelan.com>, Sean Donel an writes:
On Sun, 14 Feb 2010, Randy Bush wrote:
ssh tunnels to IP address i am often on funky networks in funky places. e.g. the wireless in changi really sucked friday night. if i ssh tunneled, it would multiply the suckiness as tcp would have puked at the loss rate. smb whacked me that i should use non-tcp tunnels.
Their network, their rules; your network, your rules; my network, my rules.
There is also "truth in advertising" laws. If they advertise "Internet" access then you should get the "Internet" not a cut down / filtered version. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Feb 14, 2010, at 6:54 PM, Mark Andrews wrote:
In message <alpine.GSO.2.00.1002141746410.9929@clifden.donelan.com>, Sean Donel an writes:
On Sun, 14 Feb 2010, Randy Bush wrote:
ssh tunnels to IP address i am often on funky networks in funky places. e.g. the wireless in changi really sucked friday night. if i ssh tunneled, it would multiply the suckiness as tcp would have puked at the loss rate. smb whacked me that i should use non-tcp tunnels.
Their network, their rules; your network, your rules; my network, my rules.
There is also "truth in advertising" laws. If they advertise "Internet" access then you should get the "Internet" not a cut down / filtered version.
Yes -- and as a reward for your expertise, you get to explain the problem with a transparent DNS proxy to the judge. For bonus points, explain it to a jury.... --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Sun, 14 Feb 2010 18:59:56 EST, Steven Bellovin said:
Yes -- and as a reward for your expertise, you get to explain the problem with a transparent DNS proxy to the judge. For bonus points, explain it to a jury....
The transparent DNS proxies aren't the problem. It's the translucent ones of undetermined opacity that just don't respond to cleaning with Windex that are the problem...
0n Sat, Feb 13, 2010 at 06:15:02AM +0800, Randy Bush wrote: >i just lost ten minutes debugging what i thought was a server problem >which turned out to be a dns trapper on the wireless in the changi sats >lounge. this is not the first time i have been caught by this. Whats a "dns trapper" ? -Alex IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email.
Whats a "dns trapper" ?
A "transparent" proxy that intercepts DNS requests and provides edited results intended to improve your customer experience, typically defined as returning A records for web servers full of advertisements when you were expecting something else. The unfortunate fact is that if you're using random networks, you'll get increasingly random results, and there's no substitude for a tunnel back to a known network. R's, John
Transparent dns rewriter inline on the network On 2/12/10, Wilkinson, Alex <alex.wilkinson@dsto.defence.gov.au> wrote:
0n Sat, Feb 13, 2010 at 06:15:02AM +0800, Randy Bush wrote:
>i just lost ten minutes debugging what i thought was a server problem >which turned out to be a dns trapper on the wireless in the changi sats >lounge. this is not the first time i have been caught by this.
Whats a "dns trapper" ?
-Alex
IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email.
-- Brandon Galbraith Mobile: 630.400.6992 FNAL: 630.840.2141
On Sat, 13 Feb 2010 12:02:48 +0800, "Wilkinson, Alex" said:
IMPORTANT: This email remains the property of the Australian Defence Organisation
Have fun trying to enforce that after posting to a public mailing list in North America, with recipients all over the world. Care to cite any relevant legal basis for the claim that would hold outside Australia?
If you have received this email in error, you are requested to contact the sender and delete the email.
Consider yourself notified, as obviously you sent it to the NANOG list in error if you thought you were retaining ownership of the mail. Are you planning to reimburse us all for the costs of making sure that mail is *really* deleted so a forensics expert can't recover it, off every single mail server it hit along the way? I wonder if the Australian legal system has the concept of "overwarning"...
On February 13, 2010 at 12:12 Valdis.Kletnieks@vt.edu (Valdis.Kletnieks@vt.edu) wrote:
On Sat, 13 Feb 2010 12:02:48 +0800, "Wilkinson, Alex" said:
IMPORTANT: This email remains the property of the Australian Defence Organisation
Have fun trying to enforce that after posting to a public mailing list in North America, with recipients all over the world. Care to cite any relevant legal basis for the claim that would hold outside Australia?
I know I'm an idiot to respond to this BUT part of the implication of copyright ownership is: A) that the text is protected specifically BECAUSE it is or will be published. So why would publishing it work against that? Posting it to a public mailing list would seem to imply some agreement to free redistribution, archiving, etc. but that's only a small subset of rights under copyright which leads me to... B) One aim is that the text is not defaced. Imagine I took the quotation above from your note and inserted expletives, perhaps racist epithets, keeping the indication that it was your text I was quoting. Do you believe you would have a complaint? What if doing that got you fired or otherwise harmed you in a reasonably measurable way. Now, how could you follow up on a complaint without some notion that those original words were at some point owned by you? Etc. IANAL, but it doesn't strike me as half as preposterous as you say. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
I like Ben Goldacre's take on stupid email disclaimers: "READ CAREFULLY. By reading this email, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer. If you are anything other than a friend or an institutional professional colleague and you are writing to me about Bad Science stuff then it is reasonable to assume that I might quote our discussion in my writing, usually anonymously." http://bengoldacre.posterous.com/ Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD.
IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email.
you have sent a message to me which seems to contain a legal warning on who can read it, or how it may be distributed, or whether it may be archived, etc. i do not accept such email. my mail user agent detected a legal notice when i was opening your mail, and automatically deleted it. so do not expect further response. yes, i know your mail environment automatically added the legal notice. well, my mail environment automatically detected it, deleted it, and sent this message to you. so don't expect a lot of sympathy. and if you choose to work for some enterprise clueless enough to think that they can force this silliness on the world, use gmail, hotmail, ... randy
IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email.
NOTICE: This communication may contain confidential and/or privileged information. If you are not the intended recipient, or believe that you have received this communication in error you are obligated to kill yourself and anyone else who may have read it, not necessarily in that order. So there. My disclaimer is scarier than yours. Nyaah. You started this silly nonsense. Knock it off and I will too, ok? It's worthless from a legal standpoint and is responsible for the needless suffering of billions of innocent electrons. Nobody reads it anyway. You're not actually reading this, are you? I didn't think so. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay@impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV
participants (21)
-
Barry Shein
-
Bill Thompson
-
Bill Weiss
-
Brandon Galbraith
-
Jared Mauch
-
Jason Frisvold
-
Jay Hennigan
-
Jim Richardson
-
John Levine
-
Justin Krejci
-
Larry Sheldon
-
Mark Andrews
-
Oliver Gorwits
-
Patrick W. Gilmore
-
Randy Bush
-
Sean Donelan
-
Steve Bertrand
-
Steven Bellovin
-
Tony Finch
-
Valdis.Kletnieks@vt.edu
-
Wilkinson, Alex