own DNS to conquer the government

[avx]

Some of you might already heard/read, that the german government is currently enforcing a new law to censor the internet - offically announced to be against childpornography, but also driven by lobbyists of i.e. the media-industrie(IFPI, ...).

This should be done - at the very least - by DNS-rerouting, i.e. queriny for www.badsite.com and getting redirected to www.youshouldntdothis.com. Of course, this can be easily circumvented by using a DNS not provided by one of the national ISPs(well, opendns.com is bad for itself), but there are already rumours and discussions to block/filter/redirect all DNS-traffic on :53, so it wouldn't be that easy anymore.

So, to not be a part of China 2.1, setting up my own DNS-server comes to mind, but since this topic is pretty new to me, I'm hoping for some answers on the following questions.

1. What software to use(BIND or something else)?
2. How to sync with an external DNS, i.e. one of the root-DNSs or some other? Not using :53 of course.
3. If it would be possible to "mirror" one of the root-DNSs to a local machine, what hardware do I need(mainly concerned about diskspace)?
4. If all that doesn't work satisfying, what would be a good alternative?
5. Out of curiosity, how to best implement a "round-robin" over a longer list of out-of-state DNSs(something better than rewriting resolv.conf every X hours)?

For those not seeing/believing the problem, there's already a testing-case, supported by the government, to create a filter to protect children from unappropriat content, and this list already contains the webpages of some political parties, blogs and even linux-related pages(i.e. Gentoo.org is blocked) - see for yourself at http://www.jugendschutzprogramm.de/checkurl.php

Thanks for any help, sorry if something like this has been posted before, I'm currently running a bloodrush :/

[drescherjm]

I suggest dnrd

http://gentoo-portage.com/net-dns/dnrd
_________________
John

My gentoo overlay
Instructons for overlay

[NeddySeagoon]

ph030,

Blocking DNS lookups is just a nusiance. There are sites like this that provide web based DNS lookup. Using that and making it transparent to a google hit list doesn't sound too hard. Most sites don't change their IP, so you could add IPs to your /etc/hosts after you have discovered them. You would get a huge /etc/host which will not be good.

To actually block access to sites, you have to block access by IP, which is the logical next step when everyone works around DNS blocking. Its then that Germany becomes China 2.1

To get around that, you need a secure link to a server outside Germany. Hmm, maybe you don't need a server at all. Perhaps a free IPv6 tunnel would do. You set up IPv6 and use the services of a tunnel broker (free) to turn your IPv6 internet trafic into normal IP traffic.
When you browse the web over your IPv6, all your traffic goes through the tunnel to the outside world.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[poly_poly-man]

install bind, make sure it's listening at at least localhost (should be ootb), start it, make resolv.conf point to 127.0.0.1.

This uses root-servers to get queries...

keep in mind, root-servers really only can tell you where all the tld parent domains are - there's nothing really on them except that.

EDIT: without using port 53 outgoing? out of luck unless you can vpn/etc. to a server elsewhere running dns - or just run your own dns server elsewhere on a port besides 53...
_________________
iVBORw0KGgoAAAANSUhEUgAAA

avatar: new version of logo - see topic 838248. Potentially still a WiP.

[avx]

NeddySeagon,

[drescherjm]

Do a google search for "free anonymous proxy"
_________________
John

My gentoo overlay
Instructons for overlay

[avx]

Well, I've already got TOR running, not speedy but good enough. Conquering anonymity is already on the politicans table, I'm waiting for another try to forbid (strong) cryptography(they already tried that a few times).

Fortunately, I just had a call to a friend in Canada, we'll setup some tunnels tomorrow, but still, other ideas are very welcome, espacially ones which are easy to do and to maintain(for not so techy friends/parents).

[NeddySeagoon]

ph030,

To expand on my previous response ...
Lets say you are doing a google search and want to visit one of the sites google finds.
In the normal course of events, you click the link, DNS does its magic and your system uses the IP thats returned to load the side.
Only with the new laws in Germany DNS may fail.
To continue you can manually look up the IP of the site you want and browse to it with http://<IPAddress> which will work until <IPAddress> is blocked. Its probably possible to automate this manual process, so it happens without you seeing it (transparent).
This way you get permitted DNS lookups over port 53 and blocked ones over port 80, after a port 53 lookup has failed.

The children will be the first to find the loopholes ... they know no fear and have a wonderful communications network, This law cannot succeed.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[think4urs11]

[xtz]

[nativemad]

[xtz]

Yes, an entry in /etc/hosts should do the trick. If you ask me, I'd go for the IPv6 tunnel... for whole networks - will set a tunnel on the gateway and route the traffic through it (I assume the free IPv6 tunnel providers have some bandwidth limits for those tunnels, so maybe it would be better to discuss the situation with them first, maybe even use a paid, hence - better service).