Re: dns interceptors

[Sean Donelan <sean () donelan com>]

On Sun, 14 Feb 2010, Randy Bush wrote:
> > ssh tunnels to IP address
> i am often on funky networks in funky places.  e.g. the wireless in
> changi really sucked friday night.  if i ssh tunneled, it would multiply
> the suckiness as tcp would have puked at the loss rate.
> smb whacked me that i should use non-tcp tunnels.

Their network, their rules; your network, your rules; my network, my 
rules.

If you visit lots of funky places, its probably time to learn about 
tunnelling protocols.  If you don't like their network rules, tunnel to a 
different network with rules you prefer.

Ports 80/443 seem to work as the universal tunnelling ports, along with 
SSH, VPN, PPTP, IPnIP/IPSEC, etc.  Sometimes proxy-tunnel software which 
encapsulates packets inside HTTP works.  AOL and SKYPE seem to 
successfully tunnel through a lot of stuff. Of course, if you are on a 
network which doesn't want allow tunnels, e.g. an internal enterprise 
network, you may not want to do that.

Per-application stuff work sometimes (DNSSEC/TSIG-forwarders, HTTPS, etc), 
but when allowed I immediately create a tunnel and don't spend time 
debugging local networks. Some people always use tunnels even when using 
networks such as the NANOG or IETF conference networks.