| 1 |
Am Sun, 12 Mar 2017 03:18:59 -0400 |
| 2 |
schrieb "Walter Dnes" <waltdnes@××××××××.org>: |
| 3 |
|
| 4 |
> Starting a separate topic, rather than hijack the main thread... |
| 5 |
> |
| 6 |
> On Fri, Mar 10, 2017 at 01:50:26PM -0600, Corbin Bird wrote |
| 7 |
> > |
| 8 |
> > 6 # : ISP is starting to filter customers web access. The ISP is |
| 9 |
> > deciding what sites customers are allowed to see. ( look up the |
| 10 |
> > practice called "ransom" ). |
| 11 |
> |
| 12 |
> Does this consist of grabbing outbound traffic to port 53? If so, I |
| 13 |
> wonder if the following is possible... |
| 14 |
> |
| 15 |
> * Can a POTS dialup or a wifi connection co-exist with a broadband |
| 16 |
> connection? It would make the network config and route config more |
| 17 |
> complex. |
| 18 |
|
| 19 |
Complex? Not really. Just put static DNS IPs into your resolver config, |
| 20 |
and add a static route for these destinations: |
| 21 |
|
| 22 |
for tunnel devices like ppp: |
| 23 |
# route add 8.8.4.4 dev ppp-interface |
| 24 |
|
| 25 |
or |
| 26 |
|
| 27 |
for LAN router: |
| 28 |
# route add 8.8.4.4 gw ip-of-your-dialup-router |
| 29 |
|
| 30 |
And then do not let the dialup line set a default route. |
| 31 |
|
| 32 |
> * If yes, can iptables be used to redirect only outbound-to-port-53 |
| 33 |
> traffic to the dialup/wifi connection, with everything else going to |
| 34 |
> the broadband connection? |
| 35 |
|
| 36 |
You could but this becomes more complicated. I think this would have to |
| 37 |
go into the pre-routing chain. But I don't recommend fiddling around |
| 38 |
with that. |
| 39 |
|
| 40 |
> * Another option, if you know the alternate DNS server address in |
| 41 |
> advance, set up routing of the /32 (for the alternate DNS server) |
| 42 |
> to ppp0 or wlan0 with higher priority than the default route. This |
| 43 |
> doesn't require any iptables magic. |
| 44 |
|
| 45 |
As stated above... And you don't need to set higher priority. The best |
| 46 |
matching rules are always tried before routing rules with lower |
| 47 |
matching destinations, that means /32 destination rules are matched |
| 48 |
before /24 destination rules, and so forth. The default gateway is |
| 49 |
matching IP destination 0/0. The priority is only considered when |
| 50 |
multiple equally matching rules are found. Just remove the default |
| 51 |
route via the ppp route to ensure nothing else will go over the slow |
| 52 |
link. |
| 53 |
|
| 54 |
> * Can the standard linux network stack handle this properly, and use |
| 55 |
> incoming DNS responses from the dialup/wifi connection for the IP |
| 56 |
> addresses of websites, etc to be accessed via broadband? |
| 57 |
|
| 58 |
I don't see problems here. DNS is one request, HTTP is another. As long |
| 59 |
as your broadband DNS doesn't resolve to some proxy IPs all should be |
| 60 |
fine. |
| 61 |
|
| 62 |
> DNS traffic is low volume, usually fitting into 1 packet. So it |
| 63 |
> would be feasible to divert DNS requests to a lower-speed connection. |
| 64 |
> The broadband ISP would handle all the highspeed website, etc, traffic |
| 65 |
> but it would not see any DNS traffic, and would not be able to |
| 66 |
> intercept it. |
| 67 |
|
| 68 |
Yes. |
| 69 |
|
| 70 |
|
| 71 |
-- |
| 72 |
Regards, |
| 73 |
Kai |
| 74 |
|
| 75 |
Replies to list-only preferred. |
Archives