dns interceptors

Sean Donelan sean at donelan.com
Sun Feb 14 23:38:42 UTC 2010

On Sun, 14 Feb 2010, Randy Bush wrote:
>> ssh tunnels to IP address
> i am often on funky networks in funky places.  e.g. the wireless in
> changi really sucked friday night.  if i ssh tunneled, it would multiply
> the suckiness as tcp would have puked at the loss rate.
> smb whacked me that i should use non-tcp tunnels.

Their network, their rules; your network, your rules; my network, my 

If you visit lots of funky places, its probably time to learn about 
tunnelling protocols.  If you don't like their network rules, tunnel to a 
different network with rules you prefer.

Ports 80/443 seem to work as the universal tunnelling ports, along with 
SSH, VPN, PPTP, IPnIP/IPSEC, etc.  Sometimes proxy-tunnel software which 
encapsulates packets inside HTTP works.  AOL and SKYPE seem to 
successfully tunnel through a lot of stuff. Of course, if you are on a 
network which doesn't want allow tunnels, e.g. an internal enterprise 
network, you may not want to do that.

Per-application stuff work sometimes (DNSSEC/TSIG-forwarders, HTTPS, etc), 
but when allowed I immediately create a tunnel and don't spend time 
debugging local networks. Some people always use tunnels even when using 
networks such as the NANOG or IETF conference networks.

More information about the NANOG mailing list