# own DNS to conquer the government

## avx

Some of you might already heard/read, that the german government is currently enforcing a new law to censor the internet - offically announced to be against childpornography, but also driven by lobbyists of i.e. the media-industrie(IFPI, ...).

This should be done - at the very least - by DNS-rerouting, i.e. queriny for www.badsite.com and getting redirected to www.youshouldntdothis.com. Of course, this can be easily circumvented by using a DNS not provided by one of the national ISPs(well, opendns.com is bad for itself), but there are already rumours and discussions to block/filter/redirect all DNS-traffic on :53, so it wouldn't be that easy anymore.

So, to not be a part of China 2.1, setting up my own DNS-server comes to mind, but since this topic is pretty new to me, I'm hoping for some answers on the following questions.

1. What software to use(BIND or something else)?

2. How to sync with an external DNS, i.e. one of the root-DNSs or some other? Not using :53 of course.

3. If it would be possible to "mirror" one of the root-DNSs to a local machine, what hardware do I need(mainly concerned about diskspace)?

4. If all that doesn't work satisfying, what would be a good alternative?

5. Out of curiosity, how to best implement a "round-robin" over a longer list of out-of-state DNSs(something better than rewriting resolv.conf every X hours)?

For those not seeing/believing the problem, there's already a testing-case, supported by the government, to create a filter to protect children from unappropriat content, and this list already contains the webpages of some political parties, blogs and even linux-related pages(i.e. Gentoo.org is blocked) - see for yourself at http://www.jugendschutzprogramm.de/checkurl.php

Thanks for any help, sorry if something like this has been posted before, I'm currently running a bloodrush :/

----------

## drescherjm

I suggest dnrd

http://gentoo-portage.com/net-dns/dnrd

----------

## NeddySeagoon

ph030,

Blocking DNS lookups is just a nusiance. There are sites like this that provide web based DNS lookup. Using that and making it transparent to a google hit list doesn't sound too hard. Most sites don't change their IP, so you could add IPs to your /etc/hosts after you have discovered them. You would get a huge /etc/host which will not be good.

To actually block access to sites, you have to block access by IP, which is the logical next step when everyone works around DNS blocking. Its then that Germany becomes China 2.1

To get around that, you need a secure link to a server outside Germany. Hmm, maybe you don't need a server at all. Perhaps a free IPv6 tunnel would do. You set up IPv6 and use the services of a tunnel broker (free) to turn your IPv6 internet trafic into normal IP traffic.

When you browse the web over your IPv6, all your traffic goes through the tunnel to the outside world.

----------

## poly_poly-man

install bind, make sure it's listening at at least localhost (should be ootb), start it, make resolv.conf point to 127.0.0.1.

This uses root-servers to get queries...

keep in mind, root-servers really only can tell you where all the tld parent domains are - there's nothing really on them except that.

EDIT: without using port 53 outgoing? out of luck unless you can vpn/etc. to a server elsewhere running dns - or just run your own dns server elsewhere on a port besides 53...

----------

## avx

NeddySeagon,

 *Quote:*   

> There are sites like this that provide web based DNS lookup. Using that and making it transparent to a google hit list doesn't sound too hard.

 What exactly do you mean by the 2nd sentence?

 *Quote:*   

> To actually block access to sites, you have to block access by IP, which is the logical next step when everyone works around DNS blocking.

 Yep, and that's also already in discussion. Our politicans don't have a clue at all and it's just not really possible to tell them, that IP-based blocking could block thousands of pages. They want to block things like piratebay, because there can be something like cp and if someone investigates, they're upping some on their own. It's election time this year, so they'll do whatever the stupid people think will be positive.

poly_poly-man,

thanks, gonna look at bind the next days.

----------

## drescherjm

Do a google search for "free anonymous proxy"

----------

## avx

Well, I've already got TOR running, not speedy but good enough. Conquering anonymity is already on the politicans table, I'm waiting for another try to forbid (strong) cryptography(they already tried that a few times).

Fortunately, I just had a call to a friend in Canada, we'll setup some tunnels tomorrow, but still, other ideas are very welcome, espacially ones which are easy to do and to maintain(for not so techy friends/parents).

----------

## NeddySeagoon

ph030,

To expand on my previous response ...

Lets say you are doing a google search and want to visit one of the sites google finds.

In the normal course of events, you click the link, DNS does its magic and your system uses the IP thats returned to load the side.

Only with the new laws in Germany DNS may fail. 

To continue you can manually look up the IP of the site you want and browse to it with http://<IPAddress> which will work until <IPAddress> is blocked. Its probably possible to automate this manual process, so it happens without you seeing it (transparent).

This way you get permitted DNS lookups over port 53 and blocked ones over port 80, after a port 53 lookup has failed.

The children will be the first to find the loopholes ... they know no fear and have a wonderful communications network, This law cannot succeed.

----------

## think4urs11

 *NeddySeagoon wrote:*   

> The children will be the first to find the loopholes ... they know no fear and have a wonderful communications network, This law cannot succeed.

 

And that's the point - but convince ignorant politicans about these two facts. Operation impossible  :Wink: 

In germany we call our leaders also as 'Internetausdrucker' (aka put that damn internet thing on paper so i 'understand') for a reason.

----------

## xtz

 *NeddySeagoon wrote:*   

> 
> 
> ...
> 
> To continue you can manually look up the IP of the site you want and browse to it with http://<IPAddress> which will work until <IPAddress> is blocked. 
> ...

 

If the site uses HTTP server, that uses name-based virtual hosting, you are screwed  :Confused:  The HTTP server will rely on the browser's HTTP request for the name of the site (which in this case will be the IP address) and the best thing you can expect is to open the default virtual host, set in the HTTP server's configuration  :Rolling Eyes: 

----------

## nativemad

 *Quote:*   

> If the site uses HTTP server, that uses name-based virtual hosting, you are screwed  The HTTP server will rely on the browser's HTTP request for the name of the site (which in this case will be the IP address) and the best thing you can expect is to open the default virtual host, set in the HTTP server's configuration 

 

This could be circumvented, with an entry in /etc/hosts. I think thats what neddy wanted to tell us with his first post here.

I think that probably avahi or so (probably dnsmasq, for complete lans) shoud/could be modified to act this way... (eg: get the resolving via wget or similar, if normal DNS fails). But that rises another topic: Do you trust the owner of that service?!?

It is really a shame, what happens in Germany... I'm absolutely not affected (luckily so far over here), but i am pround that someone (a whole movement by now) stands up and rises the voice! Even if the majority of people don't get the point at all! 

Stop zensursula! <-i'll order a shirt, just to support the thing!   :Razz: 

----------

## xtz

Yes, an entry in /etc/hosts should do the trick. If you ask me, I'd go for the IPv6 tunnel... for whole networks - will set a tunnel on the gateway and route the traffic through it (I assume the free IPv6 tunnel providers have some bandwidth limits for those tunnels, so maybe it would be better to discuss the situation with them first, maybe even use a paid, hence - better service).

----------

