r11723@Kushana: nickm | 2006-12-28 13:52:48 -0500

 Fix bug 364: check for whether popular hostnames (curently google, yahoo, mit, and slashdot) are getting wildcarded.  If they are, we are probably behind a DNS server that is useless: change our exit policy to reject *:*.


svn:r9199

2 files changed, 10 insertions, 2 deletions

diff --git a/doc/TODO b/doc/TODO
index 9ab9915dba..12129cf10e 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -107,8 +107,8 @@ d   - Be a DNS proxy.
       o address_is_invalid_destination() is the right thing to call here
         (and feel free to make that function smarter)
       o add a config option to turn it off.
-      - and a man page for that option
-    - Bug 364: notice when all the DNS requests we get back (including a few
+      o and a man page for that option
+    o Bug 364: notice when all the DNS requests we get back (including a few
       well-known sites) are all going to the same place.
     o Bug 363: Warn and die if we can't find a nameserver and we're running a
       server; don't fall back to 127.0.0.1.
diff --git a/doc/tor.1.in b/doc/tor.1.in
index 6ac3c1f735..32b9c63832 100644
--- a/doc/tor.1.in
+++ b/doc/tor.1.in
@@ -704,6 +704,14 @@ our local nameservers have been configured to hijack failing DNS requests
 this.  This option only affects name lookup for addresses requested by
 clients; and only takes effect if Tor was built with eventdns support.
 (Defaults to "1".)
+.LP
+.TP
+\fBServerDNSTestAddresses \fR\fIaddress\fR,\fIaddress\fR,\fI...\fP
+When we're detecting DNS hijacking, make sure that these \fIvalid\fP
+addresses aren't getting redirected.  If they are, then our DNS is
+completely useless, and we'll reset our exit policy to "reject *:*".
+(Defaults to "www.google.com, www.mit.edu, www.yahoo.com,
+www.slashdot.org".)
 
 .SH DIRECTORY SERVER OPTIONS
 .PP