Feature Idea: DNS Fallback Tunnel over TOR

[sarciszewski]

The ISP for Orlando, FL is BrightHouse, and some of my hacker friends tell me they like to block port 53 (DNS) whenever they observe "strange traffic" from one of their customers. This interferes even with people using OpenDNS or Google's DNS server.

I would like to propose a feature to help with mitigating this sort of malicious ISP behavior (though, I will say this now, I do not have the knowledge of how exactly to implement it, but I'm willing to help with possible): If DNS queries fail consistently for 30 seconds, fallback to tunneling DNS queries over...

1. Tor, by default.
2. OpenVPN, if configured.
3. HTTP proxy, if configured.
4. SOCKS proxy, if configured.

Questions:

1. Do you think this is a good idea?
2. Is this a viable solution to port 53 blocking?
3. How difficult would this be to implement?
4. Can we make it a standard feature for the OpenWireless router?

Thanks in advance.

[jsha]

I think this is potentially a cool idea for something on a client-side machine. I think it's not appropriate for the router to silently change DNS service for two reasons:

1. It would cause mysterious and sporadic performance issues, both in the DNS fetch and in subsequent requests (because many large sites do load balancing based on the DNS resolver geolocation).
2. It would be a security issue, since you are trusting the Tor exit node to not interfere with your DNS traffic. That trust is fine in the context of consciously using Tor in a separate browser context, but doing it transparently would be risky.

[sarciszewski]

"I think this is potentially a cool idea for something on a client-side machine." Yeah, but I suck at writing desktop software. :(

[Rangak]

While transparent fallback may not be appropriate on router, see what can be done on router to address this problem. Combine resolution of this issue with #282 .