Aujourd’hui, les grandes entreprises et administrations publiques hésitent entre continuer à utiliser des logiciels propriétaires ou basculer vers les Logiciels Libres. Pourtant, la plupart des logiciels libres sont capables de bien traiter les données issues des logiciels propriétaire, et parfois avec une meilleur compatibilité.
C’est alors la barrière de la prise en main qui fait peur, et pourtant...
Les logiciels libres
L’aspect « Logiciel Libre » permet une évolution rapide et une plus grande participation des utilisateurs. Les aides et tutoriels foisonnent sur Internet ou sont directement inclus dans le logiciel lui-même.
Enfin, les concepteurs sont plus proches des utilisateurs, ce qui rend les logiciels libres plus agréable à utiliser et conviviaux.
Grâce à la disponibilité des logiciels libres, vous trouverez facilement des services de support techniques et la licence n’est plus un frein à l’utilisation de ces logiciels par votre personnel.
Notre support technique concerne essentiellement les logiciels libres, que ce soit sous forme de services ponctuels ou de tutoriels.
The service Sci-Hub is a great help for
the scientists, allowing them to access to a lot of scientific
papers that were before locked behind paywalls. The publishing companies keep
trying to censor Sci-Hub and block access to this service, for
instance by taking down domain names like it happened a few days ago
with sci-hub.io
. If you control your
DNS resolver, you can easily restore
access.
Sci-Hub's domain sci-hub.io
was recently
taken down. There are several ways to still use Sci-Hub, such as
"domain hopping" (using another TLD such as
sci-hub.bz
) or using
Tor (the address is scihub22266oqcxt.onion
). But there is one which does not
seem to have been publically documented yet.
For the rest of the article, we will rely on a local DNS
resolver. ("local" does not imply it is on your own machine: it may
be on the local network. The important point is that you can
change its configuration.) A local resolver is a great tool
against DNS censorship. By default, it does not see Sci-Hub
domains (NXDOMAIN
means "No Such
Domain"). Let's test with dig:
% dig A sci-hub.io
; <<>> DiG 9.10.4 <<>> A sci-hub.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45356
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
...
;; QUESTION SECTION:
;sci-hub.io. IN A
...
;; Query time: 1408 msec
;; SERVER: ::1#53(::1)
...
OK, it failed, the domain being taken down. Let's configure our
local resolver to work around the problem. Sci-Hub has a public name server
that answers to the Sci-Hub domains. First, we'll be using the excellent
program Unbound. We just add in unbound.conf
:
server:
domain-insecure: "sci-hub.io"
forward-zone:
name: "sci-hub.io"
forward-addr: 80.82.77.83
forward-addr: 80.82.77.84
and we restart Unbound and it works:
% dig A sci-hub.io
; <<>> DiG 9.10.3-P4-Debian <<>> A sci-hub.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22120
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;sci-hub.io. IN A
;; ANSWER SECTION:
sci-hub.io. 3483 IN A 80.82.77.83
;; AUTHORITY SECTION:
sci-hub.io. 3483 IN NS ns1.sci-hub.cc.
sci-hub.io. 3483 IN NS ns2.sci-hub.cc.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 03 17:51:49 CET 2017
;; MSG SIZE rcvd: 101
We can now use all the interesting features of Sci-Hub. My favorite:
just add
sci-hub.io
at the end of the
URL of a scientific article you want and you
get it. Imagine you're a medical researcher and you work on venous thrombosis. You want to read "
Prevalence and
Prevention of Deep Venous Thrombosis of the Lower Extremities in
High-Risk Pulmonary Patients" but it is behind a paywall. You
just add Sci-Hub domain at the end, go to
http://ang.sagepub.com.sci-hub.bz/content/39/6/505.short.sci-hub.io
and it works! (By the way, this is one of the main reasons of the
well-deserved success of Sci-Hub: it is very convenient. It is not
just a matter of money if people use Sci-Hub.)
(DNS experts may discuss the use of
forward-zone
instead of
stub-zone
. The Sci-Hub servers accept
recursive requests so both work. In my opinion,
forward may be a bit more future-proof if the
authoritative name server changes its IP address but a recursor
stays in place at the old address.)
With Knot resolver, you just add a rule:
-- Sci-Hub
policy.add(policy.suffix(policy.STUB({'80.82.77.83', '80.82.77.84'}), policy.todnames({'sci-hub.io.'})))
to the configuration.
Doing the same with BIND is
possible. Just put in its configuration file (somewhere/named.conf
):
zone "sci-hub.io" {
type forward;
forwarders {80.82.77.83; 80.82.77.84;};
};
But there is a big "but": if you validate the
DNS answers with DNSSEC (an excellent
idea), this will be rejected since
.io
is signed and can
prove that
sci-hub.io
does not exist. You'll
get in your logs error messages such as "error (insecurity proof failed) resolving 'sci-hub.io/A/IN'".
The trick is to use the fact that
80.82.77.83
also allows DNS zone
transfers. You can therefore configure your BIND as a slave for
sci-hub.io
. Once BIND is authoritative for
this domain, it won't check with DNSSEC:
zone "sci-hub.io" {
type slave;
masters {80.82.77.83; 80.82.77.84;};
};
Note: the option
dnssec-must-be-secure
addresses a different issue and is not useful here.
I do not use dnsmasq but Canari
Bleu does and says you have to add
server=/sci-hub.io/80.82.77.83
in dnsmasq.conf
.
Of course, this hack is far from perfect. It doesn't
scale (imagine if there were dozens of
censored domains to make accessible this way). It's brittle (the
IP addresses can change without warning). But this sort of
imperfect workarounds will become more and more common with the
increase of politically or business-motivated censorship.