From a4fb12a425d395920434d6909bcdb9abf92bcbf4 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Sat, 14 Apr 2007 16:59:41 +0000 Subject: r12355@catbus: nickm | 2007-04-14 11:52:20 -0400 Rename DNSBL to DNSEL. svn:r9952 --- doc/contrib/torbl-design.txt | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'doc/contrib') diff --git a/doc/contrib/torbl-design.txt b/doc/contrib/torbl-design.txt index dac1234162..20912f4cb1 100644 --- a/doc/contrib/torbl-design.txt +++ b/doc/contrib/torbl-design.txt @@ -1,9 +1,9 @@ -Design For A Tor RBL {DRAFT} +Design For A Tor DNS-based Exit List Status: - This is a suggested design for a DNSBL for Tor exit nodes. It hasn't been - implemented. + This is a suggested design for a DNS Exit List (DNSEL) for Tor exit nodes. + It hasn't been implemented. Why? @@ -29,10 +29,10 @@ Why? identify which Tor nodes might open anonymous connections to any given exit address. But this is a bit tricky to set up, so only sites like Freenode and OFTC that are dedicated to privacy use it. - Conversely, providers of some DNSBL implementations are providing + Conversely, providers of some DNSEL implementations are providing coarse-grained lists of Tor hosts -- sometimes even listing servers that permit no exit connections at all. This is rather a problem, since - support for DNSBL is pretty ubiquitous. + support for DNSEL is pretty ubiquitous. How? @@ -54,13 +54,13 @@ How? The DNS interface - DNSBL, if I understand right, looks like this: There's some host at - foo.example.com. You want to know if 1.2.3.4 is in the list, so you - query for an A record for 4.3.2.1.foo.example.com. If the record - exists, 1.2.3.4 is in the list. If you get an NXDOMAIN error, 1.2.3.4 - is not in the list. + Standard DNSEL, if I understand right, looks like this: There's some host + at foo.example.com. You want to know if 1.2.3.4 is in the list, so you + query for an A record for 4.3.2.1.foo.example.com. If the record exists, + 1.2.3.4 is in the list. If you get an NXDOMAIN error, 1.2.3.4 is not in + the list. - Assume that the DNSBL sits at some host, torhosts.example.com. Below + Assume that the DNSEL sits at some host, torhosts.example.com. Below are some queries that could be supported, though some of them are possibly a bad idea. @@ -160,7 +160,7 @@ Other issues: masks wider than /8 make me nervous here, as do port ranges. We need an answer for what to do about hosts which exit from different - IPs than their advertised IP. One approach would be for the DNSBL + IPs than their advertised IP. One approach would be for the DNSEL to launch periodic requests to itself through all exit servers whose policies allow it -- and then see where the requests actually come from. -- cgit v1.2.3-54-g00ecf