i just lost ten minutes debugging what i thought was a server problem
which turned out to be a dns trapper on the wireless in the changi sats
lounge. this is not the first time i have been caught by this.
what are other roaming folk doing about this?
randy
I typically VPN out of broken networks whenever possible.
Operate a VPN/PPTP/IPSEC/squid-proxy/ssh on tcp/80/443 to work around the issues.
- Jared
ssh tunnels to IP address
Jared Mauch wrote:
i just lost ten minutes debugging what i thought was a server problem
which turned out to be a dns trapper on the wireless in the changi sats
lounge. this is not the first time i have been caught by this.what are other roaming folk doing about this?
randy
I typically VPN out of broken networks whenever possible.
Operate a VPN/PPTP/IPSEC/squid-proxy/ssh on tcp/80/443 to work around the issues.
Yep...
On Windows laptop, a wrapper .bat sets up Putty (SSH) to configure a
tunnel to a remote server, and for FBSD, an sh script with the SSH
command line within.
Depending on the situation, the tunnel may handle all core protocols,
even 587 when it has been hijacked/blocked.
Steve
Jim Richardson wrote:
i just lost ten minutes debugging what i thought was a server problem
which turned out to be a dns trapper on the wireless in the changi sats
lounge. this is not the first time i have been caught by this.what are other roaming folk doing about this?
randy
ssh tunnels to IP address
I sent this directly to Randy, but perhaps there are others who are
interested in doing this as well. For the archives (and my own
documentation):
My DNS server doesn't listen on localhost (a prereq), so I'll use submit
port instead:
# on the roaming laptop (hereinafter 'client')
# -f == run in background
# steve@host is the submit server
# -L means map this port "587:" to "remote-host:port"
# -N means do not execute remote command
client# ssh -f steve@208.70.104.210 -L 587:208.70.104.210:587 -N
...now I tell my local resolver (or in this case, my MUA) to use
localhost instead of the normal remote host. Note that I generally use
the standard ports on my localhost for this mapping. Doing so will not
work for things like HTTP etc, as we are focused squarely on accessing
resources located on our own equipment...
...SSH tunnelling even works over v6. The colon-separated address isn't
handled well within the port-mapping portion of the command, so we'll
use names instead:
pearl# dig aaaa smtp.ibctech.ca
smtp.ibctech.ca. 3598 IN AAAA 2607:f118::b6
...
client# ssh -6 -f steve@smtp.ibctech.ca -L 587:smtp.ibctech.ca:587 -N
server# tcpdump -n -i lo0 port 587
client# telnet ::1 587
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 smtp.ibctech.ca ESMTP
server#
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
19:01:20.529444 IP6 2607:f118::b6.59842 > 2607:f118::b6.587: S
4152936854:4152936854(0) win 65535 <mss 1440,nop,wscale
3,sackOK,timestamp 3135691171 0>
19:01:20.529497 IP6 2607:f118::b6.587 > 2607:f118::b6.59842: S
3425118408:3425118408(0) ack 4152936855 win 65535 <mss 1440,nop,wscale
3,sackOK,timestamp 322067125 3135691171>
19:01:20.529532 IP6 2607:f118::b6.59842 > 2607:f118::b6.587: . ack 1 win
8211 <nop,nop,timestamp 3135691171 322067125>
19:01:20.535727 IP6 2607:f118::b6.587 > 2607:f118::b6.59842: P 1:28(27)
ack 1 win 8211 <nop,nop,timestamp 322067131 3135691171>
19:01:20.635335 IP6 2607:f118::b6.59842 > 2607:f118::b6.587: . ack 28
win 8211 <nop,nop,timestamp 3135691277 322067131>
...I love easy workarounds. I got sick and tired of fscking around a
long time ago with troubleshooting blocked/hijacked ports, so I thought
I'd bypass the problem by hijacking and re-routing the ports myself.
Port tunnelling like this is my default whenever I'm not at home. Even
on Windows its easy...all my apps are portable.
Steve
Yep, this is what I do as well. It's a little disappointing that you
have to tunnel into a trusted network in order to prevent shenanigans
like that, but it seems to be the way things are.
0n Sat, Feb 13, 2010 at 06:15:02AM +0800, Randy Bush wrote:
>i just lost ten minutes debugging what i thought was a server problem
>which turned out to be a dns trapper on the wireless in the changi sats
>lounge. this is not the first time i have been caught by this.
Whats a "dns trapper" ?
-Alex
IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email.
Whats a "dns trapper" ?
A "transparent" proxy that intercepts DNS requests and provides edited
results intended to improve your customer experience, typically
defined as returning A records for web servers full of advertisements
when you were expecting something else.
The unfortunate fact is that if you're using random networks, you'll
get increasingly random results, and there's no substitude for a tunnel
back to a known network.
R's,
John
Transparent dns rewriter inline on the network
Just to add that openssh and putty both provide a SOCKS proxy which
some might find more straightforward to use for multiple protocols.
$ ssh -D 1080 myserver.example.net
and then point your browser/MUA/etc at localhost:1080 (there's
possibly a SOCKS option to tick, somewhere). Connections will then
tunnel to and emerge from myserver.example.net.
HTH,
p.s. and for more proxy fun, try the FoxyProxy extension for Firefox
if you have a few of these to juggle.
- --
Oliver Gorwits, Network and Telecommunications Group,
Oxford University Computing Services
IMPORTANT: This email remains the property of the Australian Defence Organisation
Have fun trying to enforce that after posting to a public mailing list
in North America, with recipients all over the world. Care to cite any
relevant legal basis for the claim that would hold outside Australia?
If you have received this email in error, you are requested to contact the
sender and delete the email.
Consider yourself notified, as obviously you sent it to the NANOG list in
error if you thought you were retaining ownership of the mail. Are you
planning to reimburse us all for the costs of making sure that mail is *really*
deleted so a forensics expert can't recover it, off every single mail server
it hit along the way?
I wonder if the Australian legal system has the concept of "overwarning"...
I know I'm an idiot to respond to this BUT part of the implication of
copyright ownership is:
A) that the text is protected specifically BECAUSE it is or will be
published. So why would publishing it work against that?
Posting it to a public mailing list would seem to imply some agreement
to free redistribution, archiving, etc. but that's only a small subset
of rights under copyright which leads me to...
B) One aim is that the text is not defaced.
Imagine I took the quotation above from your note and inserted
expletives, perhaps racist epithets, keeping the indication that it
was your text I was quoting.
Do you believe you would have a complaint?
What if doing that got you fired or otherwise harmed you in a
reasonably measurable way.
Now, how could you follow up on a complaint without some notion that
those original words were at some point owned by you?
Etc.
IANAL, but it doesn't strike me as half as preposterous as you say.
ssh tunnels to IP address
i am often on funky networks in funky places. e.g. the wireless in
changi really sucked friday night. if i ssh tunneled, it would multiply
the suckiness as tcp would have puked at the loss rate.
smb whacked me that i should use non-tcp tunnels.
randy
IMPORTANT: This email remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
CRIMES ACT 1914. If you have received this email in error, you are
requested to contact the sender and delete the email.
you have sent a message to me which seems to contain a legal
warning on who can read it, or how it may be distributed, or
whether it may be archived, etc.
i do not accept such email. my mail user agent detected a legal
notice when i was opening your mail, and automatically deleted it.
so do not expect further response.
yes, i know your mail environment automatically added the legal
notice. well, my mail environment automatically detected it,
deleted it, and sent this message to you. so don't expect a lot
of sympathy.
and if you choose to work for some enterprise clueless enough to
think that they can force this silliness on the world, use gmail,
hotmail, ...
randy
IMPORTANT: This email remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
CRIMES ACT 1914. If you have received this email in error, you are
requested to contact the sender and delete the email.
NOTICE: This communication may contain confidential and/or privileged
information. If you are not the intended recipient, or believe that you
have received this communication in error you are obligated to kill
yourself and anyone else who may have read it, not necessarily in that
order. So there. My disclaimer is scarier than yours. Nyaah. You
started this silly nonsense. Knock it off and I will too, ok? It's
worthless from a legal standpoint and is responsible for the needless
suffering of billions of innocent electrons. Nobody reads it anyway.
You're not actually reading this, are you? I didn't think so.
i am often on funky networks in funky places. e.g. the wireless in
changi really sucked friday night. if i ssh tunneled, it would multiply
the suckiness as tcp would have puked at the loss rate.
You can always run your own local resolver... Or is there a reason that's unacceptable?
How does that help? It still sends port 53 requests to the authorities, which will be intercepted.
How does that help? It still sends port 53 requests to the authorities, which will be intercepted.
Hrm.. Maybe I misunderstood. Are the packets being intercepted, or is the problem the local resolvers?
Well, in either case, another option would be to use something like openvpn, cisco vpn, etc. with very limited routes. Set it up so only your dns traffic is sent over the tunnel. Then you can still use the local network, crappy as it may be, without having to deal with the added overhead of ssh and the like.
I don't have access to a trustable network to tunnel to. (Or at least I
don't know how to.)
I wish some enteprenure would start a subscription service to provide
honest DNS (and maybe authenticatrd outbound email) that I could point
to regardless of to where I may have wandered.
How does that help? It still sends port 53 requests to the authorities, which will be intercepted.
Hrm.. Maybe I misunderstood. Are the packets being intercepted, or is the problem the local resolvers?
While I admit I have not read every post in the thread, I note the subject line. 
Well, in either case, another option would be to use something like openvpn, cisco vpn, etc. with very limited routes. Set it up so only your dns traffic is sent over the tunnel. Then you can still use the local network, crappy as it may be, without having to deal with the added overhead of ssh and the like.
ISTM Randy's comment about SSH tunnels would have the same effect.