Hacker News new | past | comments | ask | show | jobs | submit login
OpenDNS redirects torproject, archlinux and stackexchange to blocking-page
17 points by alcoholic_byte on Dec 28, 2019 | hide | past | favorite | 3 comments
My setup was working fine until I turned it on again and noticed that I was unable to access torproject.org, bbs.archlinux.org or security.stackexchange.com or a torrent-tracker site I occasionally query always using a VPN.

$> resolvectl query torproject.org torproject.org: 146.112.61.106

-- Information acquired via protocol DNS in 56.6ms. -- Data is authenticated: no

Calling this IP will yield a website that loads a JS snippet replacing the URL. $> curl 146.112.61.106 <html><head><script type="text/javascript">location.replace("https://block.opendns.com/?url=1821231518181915231815181723&ablock&server=ams16&prefs=&tagging=&nref");</script></head></html>

IMHO DNS-service-providers, especially 3rd-party ones ought to be impartial. I know the arguments, but it does not readicate the problem(this may vary depending on what example you are leading with), and TBH I rather not be protected from "the big bad internet" as if I am "Little Red Riding Hood" and the Internet "The Big Bad Wolf". I am a grown human being with full command over my faculties. Besides, I wonder what the excuse is for blocking bbs.archlinux.org(did MS or Google or Disney(fearing the "security" for their content on Plus) complain and is it not enough that their DRM prevents watching content on Linux), torproject.org(hmmm too easy constructing s.th.), and of course stackexchange is ground zero for all evil things.

I for one find it sad that OpenDNS is doing this under the aegis of Cisco. One could say that they are following a notice for the tracker, BUT torproject, stackexchange and bbs.archlinux.org?

Maybe some people more familiar with this matter can enlighten me. All the SSL-certificates are only valid for ~7days. Why such a short time? Also note that the SSL-Certificate is self-signed, by Cisco and since they are allowed to sign, it is automatically valid. Only reason this raised flags was certificate-pinning.

Happy Holidays folks! :D




Their categorizations are crowd sourced. Are they classified under something you've chosen to block?

For example, torproject.org is classified as a proxy/anonymizer. This is something people that filter networks would want to block because it defeats the purpose.

Try checking here with the others and see what you can find. It'll tell you what they're classified as and will give you the option to vote. https://domain.opendns.com/


Well my point here is, that it worked before and not after I rebooted my computer, so aside from my DNS-cache there shouldn't have been anything different going on.

It is a very bad model IMHO. Think Pizzagate, or other events were stupid people, brainwashed by others go out and do stuff they think is right. e.g. Clicking on it serves un-appropriate content, oh no s.th. must be done, I am self-righteous and want to protect the world from SMUT. Where un-appropriate is subjective.

Also looking here: https://domain.opendns.com/torproject.org Why is pornography bad or even associated with tor? Same with drugs. Oh yes the big bad wolf in the deep web's clothing.

And yes I have seen the "manage your filter-settings" but using a VPN, looking at tor, etc. I am one of those people that don't like all their internet-activity attributed to them with the ease of looking up an account, please also be required to mine millions of connections and cross-reference meta-data and my style of writing before you get me.

It just comes as a shock that all of the sudden this does not work any more and OpenDNS forces the despotic rule of uneducated and feeble(read scared shitless for no reason) people upon everyone.

I see the reason for the existence of such mechanisms: e.g. I like to take responsibility for my child's education or I am a Network-Admin who cannot curate a list of allowed domains on their time. So they turn to a DNS-resolver that does it for a living. But IMHO that should be opt-in, so create an account and use restrictive filters. Also there is a DNS-standard in the RFC RCODE 5, instead of running a MITM they ought to use that.

These days there is also DoH, DNSSec, DNS over mail, etc. So why do it this way instead of providing means to either access one list(filtered) or the other(unfiltered) depending on the query/DNS-Server without needing an account. The defaults are reversed, it is not OpenDNS/Cisco's responsibility but mine to protect my kids.They may help providing tutorials on how to do it, but they shouldn't force these low-balled, over-bearing, pretentious protective attitude on the masses.

Because adults should and want to take take responsibility for their own actions. If I cannot handle one stuff or the other, I will gladly turn to OpenDNS's mechanisms to hold my hand and shield me, but until then GTFO of my way. Same with protecting against maleware-/phishing-sites.

Considering their importance and reach, this(the choosing of a wrong default) is s.th. that needs to be discussed; and, this discussion is actually going deeper, because we need to ask ourselves if we want _society_ to be run by rules meant to minimize law-suites and financial risks for corporations. You cannot run a society like that, because the ultimate outcome would be adults being treated as children. A prime example, these days, would be the "Do not Intervene"-Rule in Canada's retail-shops.


dnscrypt appears to be better

- client: dnscrypt-proxy

- server: dnscrypt-wrapper




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: