User: Password:
Subscribe / Log in / New account

Vixie: Taking back the DNS

Paul Vixie has posted an article introducing DNS response policy zones (DNS RPZ), a sort of blacklist mechanism for domain names. "ISC is not in the business of identifying good domains or bad domains. We will not be publishing any reputation data. But, we do publish technical information about protocols and formats, and we do publish source code. So our role in DNS RPZ will be to define 'the spec' whereby cooperating producers and consumers can exchange reputation data, and to publish a version of BIND that can subscribe to such reputation data feeds. This means we will create a market for DNS reputation but we will not participate directly in that market."
(Log in to post comments)

Interesting, but I think dangerous

Posted Aug 1, 2010 15:15 UTC (Sun) by dskoll (subscriber, #1630) [Link]

This is an interesting idea, but a bit dangerous, especially for people who rely on their ISP's name servers. I can see the mechanism being abused.

View from a desk at an ISP

Posted Aug 2, 2010 0:11 UTC (Mon) by gdt (subscriber, #6284) [Link]

[Not speaking for my employer]

Or perhaps it is a way for ISPs to correct the abuse of DNS by registrars who care not a jot for the social harm caused by domains they register as long as they are paid for those domains. They'd rather have 100 unverified domains at $10 than one verified real domain at $100 and they justify this on the grounds of lower prices. Interesting that the abuse that most concerned registrars was domain tasting, simply because the registrars were not being paid by the scammers and speculators.

Put bluntly, ISPs are sick and tired of the slow or lacking response of registrars to their reports of abuse and this technology takes the registrars out of that picture. Unlike registrars, ISPs have a monetary motivation to use the technology to benefit Internet users. Not only because if people think the ISP is abusing the technology they will change ISP. But because the current level of scams lowers Internet use, and thus the ISP's revenue.

Vixie: Taking back the DNS

Posted Aug 1, 2010 16:11 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

Very bad idea.

Blocking of undesirable sites should be done in browser, where it's possible to do user-editable whitelists and overrides.

DNS is absolutely inappropriate layer for this.

Vixie: Taking back the DNS

Posted Aug 1, 2010 16:21 UTC (Sun) by paulj (subscriber, #341) [Link]

There's no reason browsers couldn't make queries of DNS based *lists. I.e. DNS is just a convenient, widely-supported and implemented database technology.

Vixie: Taking back the DNS

Posted Aug 1, 2010 16:33 UTC (Sun) by tzafrir (subscriber, #11501) [Link]

It's already done in the browser. Which means browsers report a rich browsing history of yours to third parties who provide such services.

Vixie: Taking back the DNS

Posted Aug 1, 2010 16:42 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

Hm. That's a good argument.

However, I still think that using DNS for this does not look appropriate.

Vixie: Taking back the DNS

Posted Aug 1, 2010 18:04 UTC (Sun) by vonbrand (guest, #4458) [Link]

DNS is the appropiate technology for this: It is available, reachable, and usable.

What should be done is blacklists that the user subscribes to (perhaps directly in the browser), not some way for DNS servers to block stuff. The email blacklists work that way.

Vixie: Taking back the DNS

Posted Aug 1, 2010 18:34 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]


Now I agree with this idea. Thanks for clarifications!

Vixie: Taking back the DNS

Posted Aug 1, 2010 23:07 UTC (Sun) by gmaxwell (guest, #30048) [Link]

What Vixie is plugging, however, is largely support in bind for filtering responses in a recursive resolver.

A browser querying DNS blacklists isn't something that needs any additional development.

To me this really sounds like just a censorship / non-neutrality technoligy with a pretty bow on it and not at all a development which will advance user safety or personal control over your system and time on the internet.

Vixie: Taking back the DNS

Posted Aug 2, 2010 4:04 UTC (Mon) by russell (guest, #10458) [Link]

It is an appropriate technology if you want to add "not under end user control" to the list of attributes. I'm concerned infrastructure like this only make mandatory internet filtering more achievable. Sounds like something the Australian government would be interested in.

Doesn't affect Australian internet censorship

Posted Aug 2, 2010 5:14 UTC (Mon) by ringerc (subscriber, #3071) [Link]

So long as the Australian Internet Filter is a whitelist, it'll never work.

Say they required ISPs to implement recursive DNS filtering using these dns-distributed blacklists as source material. And say that the blacklists were abused to cover more than malicious malware.

It'd be trivial to point a user's machine, a corporate domain, etc at a recursive resolver outside Australia. If ISPs were required to filter port 53 (the default DNS port), or actively filter anything that looked like a DNS request using DPI, it'd be similarly trivial to tunnel your DNS traffic to an hard-coded IP address using an existing VPN tech like IPSec, PPTP, etc or using a custom DNS proxy.

So long as you permit encryption, the filter won't work, it just poses somewhat of an inconvenience to legit users and those abusers stupid enough that they're not already using encrypted communication, tor, etc.

Pity Stephen Conroy (the minister in charge of the filter in Australia) is too stupid to tie his own shoes, let alone understand encryption, packet filtering, dns, black- and white-listing, Internet routing, or any of the other basics required to have any clue about Internet censorship technologies.

Anyway, the point is that this technology makes no difference to censorship systems. To be useful it has to be applied at ISP recursive DNS level, and all other means of resolving names to IP addresses (including DNS-over-HTTPs proxies) must be somehow blocked. That can't be done, and even if it could the method by which the blacklist was distributed to ISPs would make no difference. It could be DNS-distributed or a plain text file emailed every day.

Doesn't affect Australian internet censorship

Posted Aug 2, 2010 6:24 UTC (Mon) by dlang (subscriber, #313) [Link]

whitelists won't work because they are too hard to maintain.

blacklists won't work because they can't possibly block everything

however, the filtering doesn't have to work 100% to be a problem for people.

yes, people who really know what they are doing will always be able to get around it, but most of the general public doesn't know how to do that. The ISPs don't have to block port 53 because the users don't have any idea what DNS is and wouldn't know how to reconfigure their devices (which get configured via DHCP) to use a different DNS server.

Vixie: Taking back the DNS

Posted Aug 1, 2010 18:09 UTC (Sun) by wmf (subscriber, #33791) [Link]

Be careful when making such accusations; I don't think the browser blacklists work that way.

for some at least, yes

Posted Aug 1, 2010 21:11 UTC (Sun) by tialaramex (subscriber, #21167) [Link]

Actually the web censorship systems I've seen described look something like:

1. Is the site's IP address OK (on a whitelist)? If so, we're done
2. Otherwise, send the entire URI to a remote server for it to consider
3. If the remote server says it's OK then we're done
4. Otherwise, show a "blocked" message.

So visiting may not cause anything to be sent to the third party. But a visit to 4chan, even to look at cooking recipes (no really, the ck board is about cooking), will be sent to them.

Moreover, if Legit Co. use bulk web hosting and some fly-by-night porn site happened to use that IP address six months ago, probably your accesses to the Legit Co. site are being sent too.

for some at least, yes

Posted Aug 2, 2010 19:52 UTC (Mon) by pphaneuf (subscriber, #23480) [Link]

The Google Safebrowsing API doesn't have the browser send entire URIs to their remote servers. It works using digests of canonicalized URIs, so at worst, when requesting a full-length digest, they would only know you're accessing one of the many URIs represented by the list of digests sent back.

for some at least, yes

Posted Aug 5, 2010 14:21 UTC (Thu) by pcampe (guest, #28223) [Link]

AFAIK, this is the architecture they are (were?) using in UK to filter on national scale.

not limited to browser

Posted Aug 1, 2010 18:09 UTC (Sun) by kh (subscriber, #19413) [Link]

Why limit it to just the browser, I would welcome it for smtp, email content filters, and website comment spam filters as well.

Vixie: Taking back the DNS

Posted Aug 1, 2010 20:46 UTC (Sun) by raven667 (subscriber, #5198) [Link]

This seems like a good, practical, idea. The downsides are similar to the current RBL situation for SMTP in that there are hundreds or thousands of blacklists that people/organizations subscribed to in the real world most of which are very easy to get into and difficult to get off of. I run into that problem with some of the outsourced mail scanning servers I run, spam that gets through gets flagged by customers on whatever RBL they happen to subscribe to (usually one I've never heard of) and then they no longer receive mail through the scanning system they are paying for. If people were blocking DNS in the same way I could see it affecting our whole organization but we can just segment off the likely blacklisting candidates to their own zone which will compartmentalize the problem.

I think that as long as your ISP allows you to resolve DNS yourself or using a third party recursive resolver things should be fine, you can easily change if you don't like your ISPs policies and the blacklists they subscribe to. These days this we may need to codify this into law (network neutrality) as we can no longer rely on a lassies-faire attitude from the ISPs.

As a practical matter this kind of blocking will be good in most cases as it gives similar protection to the malware blocking present in current web browsers, but for the entire system regardless of the software (tv, phone, computer, pad, game, etc.).

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds