Re: Bind and blacklist IP file
On 10/13/10 03:24, Andrey G. Sergeev wrote: Hello David, Mon, 11 Oct 2010 18:38:24 -0400 David Miller wrote: On 10/11/2010 3:26 PM, Andrey G. Sergeev (AKA Andris) wrote: Hello Alans, Mon, 11 Oct 2010 20:07:40 +0300 Alans wrote: Why not? OpenDNS is a good example i think. Good example? Was it a joke? Do the traceroute on IP addresses of the two OpenDNS resolvers and you'll find that they both are behind the same router. Do you still trust the OpenDNS people who advertise their service as reliable? You are kidding right? ...or was this post a joke? Not at all. OpenDNS is Anycast - http://en.wikipedia.org/wiki/Anycast Thanks, I know what anycast is and about the fact that OpenDNS uses it. Besides of all that it still seems strange that *both* of their public resolvers are behind the *same* router (peer1.rtr1.ams.opendns.com [195.69.144.88] for me). It doesn't seem strange when you think about it. Because anycast already deals with the routing issue, your claim that having two systems behind the same router leads to unreliability is effectively countered. Moreover, for global anycast services (such as OpenDNS), you need a larger covering prefix to carry the routes in BGP. In the case of OpenDNS, it is 208.67.222.0/24. To place the two instances at different PoPs, you would need two covering prefixes, which is a waste. For what you appear to be concerned about, OpenDNS could simply use one address for its service. The reason to include a second address within the same prefix is for non-routing issues, such as a hardware failure on the nameserver itself where, for some reason, that anycast instance doesn't get taken out of routing. The second address could be placed on a separate cluster in the same PoP, so that the normal resolver failover could work properly until the problem is corrected. Having a second address within the same PoP is an additional layer of protection, especially if it's running on different hardware. See, for example: http://www.pch.net/resources/papers/ipv4-anycast/ipv4-anycast.pdf http://www.pch.net/resources/papers/dns-service-architecture/dns-service-architecture-v11.pdf http://ftp.isc.org/isc/pubs/tn/isc-tn-2003-1.html (especially section 5) As to the question of whether it is a good idea to do this type of blacklisting in the DNS, that train has left the station already. This sort of thing is already being implemented in an ad-hoc way in a lot of organizations. Better to have a standard method for doing it (RPZ) than ad-hoc, as you're less likely to run into the kinds of unpredictable glitches that you are concerned about. michael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
On 13/10/10 12:13 PM, "Andrey G. Sergeev" wrote: > Hello Alans, > > > Tue, 12 Oct 2010 16:52:15 +0300 Alans wrote: > >> On 10/12/2010 03:44 PM, Andrey G. Sergeev (AKA Andris) wrote: >>> Hello Ian, >>> >>> >>> Tue, 12 Oct 2010 10:54:19 +0100 "Ian Tait" wrote: >>> > Ok, but you can always browse by IP address and in this case > there is no DNS server than can stop you from browsing what you > want. Vaguely related, are host headers - a lot of webservers share an IP address/many IP addresses and use host headers to 'display' the correct website. You wouldn't be able to browse a particular website hosted in this fashion, by IP address. >>> >>> If you know the website domain and the corresponding IP address and >>> if your ISP prevents you from accessing this website by timing out >>> or tampering DNS query results you can always put the entry like >>> >>> 192.168.10.20 www.domain.tld. >>> >>> to your hosts file and access the site. >>> >>> This technique is also in use when someone needs to access the site >>> which is on a not delegated domains. >>> >> Even this way, you should know all the IP of subdomains to work >> properly. Try it for facebook, open homepage fine but once you login >> it will fail. > > If you can query at least one of the authoritative NS for the domain in > question then you would have no problems determining the IP addresses > you might need. > The straight forward answer to the original question is that BIND RPZ features will allow you to isolate domains as requested. Noting that this is _just_ DNS and as others have mentioned, that's hardly a solid wall of unavailability for your blacklisted sites. >> Another thing, we are talking about a technical person, for other >> users they don't know about hosts file or they don't have access to >> change it even it they know about it. > > Sure but please don't forget about the average level of computer skills > of the audience the most "underground" sites have. -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello David, Mon, 11 Oct 2010 18:38:24 -0400 David Miller wrote: > On 10/11/2010 3:26 PM, Andrey G. Sergeev (AKA Andris) wrote: >> Hello Alans, >> >> >> Mon, 11 Oct 2010 20:07:40 +0300 Alans wrote: >> >>> Why not? OpenDNS is a good example i think. >> Good example? Was it a joke? Do the traceroute on IP addresses of >> the two OpenDNS resolvers and you'll find that they both are behind >> the same router. Do you still trust the OpenDNS people who advertise >> their service as reliable? > > You are kidding right? ...or was this post a joke? Not at all. > OpenDNS is Anycast - http://en.wikipedia.org/wiki/Anycast Thanks, I know what anycast is and about the fact that OpenDNS uses it. Besides of all that it still seems strange that *both* of their public resolvers are behind the *same* router (peer1.rtr1.ams.opendns.com [195.69.144.88] for me). -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello Alans, Tue, 12 Oct 2010 16:52:15 +0300 Alans wrote: > On 10/12/2010 03:44 PM, Andrey G. Sergeev (AKA Andris) wrote: >> Hello Ian, >> >> >> Tue, 12 Oct 2010 10:54:19 +0100 "Ian Tait" wrote: >> Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from browsing what you want. >>> >>> Vaguely related, are host headers - a lot of webservers share an >>> IP address/many IP addresses and use host headers to 'display' the >>> correct website. >>> >>> You wouldn't be able to browse a particular website hosted in this >>> fashion, by IP address. >> >> If you know the website domain and the corresponding IP address and >> if your ISP prevents you from accessing this website by timing out >> or tampering DNS query results you can always put the entry like >> >> 192.168.10.20 www.domain.tld. >> >> to your hosts file and access the site. >> >> This technique is also in use when someone needs to access the site >> which is on a not delegated domains. >> > Even this way, you should know all the IP of subdomains to work > properly. Try it for facebook, open homepage fine but once you login > it will fail. If you can query at least one of the authoritative NS for the domain in question then you would have no problems determining the IP addresses you might need. > Another thing, we are talking about a technical person, for other > users they don't know about hosts file or they don't have access to > change it even it they know about it. Sure but please don't forget about the average level of computer skills of the audience the most "underground" sites have. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
In article , Alans wrote: > [ Norwegian Gov vs ISPs, banning domains, and inserting local host >entries to subvert such a ban ] > > Even this way, you should know all the IP of subdomains to work > properly. Try it for facebook, open homepage fine but once you login it > will fail. > Another thing, we are talking about a technical person, for other users > they don't know about hosts file or they don't have access to change it > even it they know about it. So there's a market opportunity for someone with half a clue to help out his "friends". Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
On 10/12/2010 03:44 PM, Andrey G. Sergeev (AKA Andris) wrote: Hello Ian, Tue, 12 Oct 2010 10:54:19 +0100 "Ian Tait" wrote: Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from browsing what you want. Vaguely related, are host headers - a lot of webservers share an IP address/many IP addresses and use host headers to 'display' the correct website. You wouldn't be able to browse a particular website hosted in this fashion, by IP address. If you know the website domain and the corresponding IP address and if your ISP prevents you from accessing this website by timing out or tampering DNS query results you can always put the entry like 192.168.10.20 www.domain.tld. to your hosts file and access the site. This technique is also in use when someone needs to access the site which is on a not delegated domains. Even this way, you should know all the IP of subdomains to work properly. Try it for facebook, open homepage fine but once you login it will fail. Another thing, we are talking about a technical person, for other users they don't know about hosts file or they don't have access to change it even it they know about it. regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello Ian, Tue, 12 Oct 2010 10:54:19 +0100 "Ian Tait" wrote: >> Ok, but you can always browse by IP address and in this case there >> is no DNS server than can stop you from browsing what you want. > > Vaguely related, are host headers - a lot of webservers share an IP > address/many IP addresses and use host headers to 'display' the > correct website. > > You wouldn't be able to browse a particular website hosted in this > fashion, by IP address. If you know the website domain and the corresponding IP address and if your ISP prevents you from accessing this website by timing out or tampering DNS query results you can always put the entry like 192.168.10.20 www.domain.tld. to your hosts file and access the site. This technique is also in use when someone needs to access the site which is on a not delegated domains. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind and blacklist IP file
-Original Message- From: bind-users-bounces+ian.t=thoughtbubble@lists.isc.org [mailto:bind-users-bounces+ian.t=thoughtbubble@lists.isc.org] On Behalf Of Nuno Paquete Sent: 11 October 2010 19:45 To: sth...@nethelp.no Cc: bind-users@lists.isc.org; uh...@fantomas.sk Subject: Re: Bind and blacklist IP file >Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from >browsing what you want. Vaguely related, are host headers - a lot of webservers share an IP address/many IP addresses and use host headers to 'display' the correct website. You wouldn't be able to browse a particular website hosted in this fashion, by IP address. Ian ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
On 10/11/2010 3:26 PM, Andrey G. Sergeev (AKA Andris) wrote: Hello Alans, Mon, 11 Oct 2010 20:07:40 +0300 Alans wrote: Why not? OpenDNS is a good example i think. Good example? Was it a joke? Do the traceroute on IP addresses of the two OpenDNS resolvers and you'll find that they both are behind the same router. Do you still trust the OpenDNS people who advertise their service as reliable? You are kidding right? ...or was this post a joke? OpenDNS is Anycast - http://en.wikipedia.org/wiki/Anycast Here is an DNS Stuff Vector Trace for 208.67.222.222 (one of OpenDNS' resolvers): http://www.dnsstuff.com/tools/vectortrace?ip=208.67.222.222&token=26314c5ba0c8ae4e2c32430c19d55018 Note that end points are very local to the widely spread start points. From any one location an IP Anycast service will appear to be very local. That is the point. P.S. Please don't top-post - this breaks the logic of the discussion thread. Thank you. regards, Alans On 10/11/2010 07:37 PM, Matus UHLAR - fantomas wrote: On 11.10.10 14:16, Alans wrote: Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. -- -___ David Miller Tiggee LLC dmil...@tiggee.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello Alans, Mon, 11 Oct 2010 20:07:40 +0300 Alans wrote: > Why not? OpenDNS is a good example i think. Good example? Was it a joke? Do the traceroute on IP addresses of the two OpenDNS resolvers and you'll find that they both are behind the same router. Do you still trust the OpenDNS people who advertise their service as reliable? P.S. Please don't top-post - this breaks the logic of the discussion thread. Thank you. > regards, > Alans > > On 10/11/2010 07:37 PM, Matus UHLAR - fantomas wrote: >> On 11.10.10 14:16, Alans wrote: >>> Thanks Dave, yes i know about OpenDNS, I'm trying to imlement >>> somehting kind of similar to that in a small scale. >>> So i was wondering about Bind dns capabilities and may be third >>> party stuffs that could integrate with bind dns in addition to the >>> ip/website list. >> >> This is NOT something BIND (or any DNS server) should do. Blocking >> web sites is business for web proxies, firewalls etc. Doing this >> stuff at DNS level could lead to many surprises. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello Steinar, Mon, 11 Oct 2010 19:38:54 +0200 (CEST) sth...@nethelp.no wrote: > Unfortunately, in some countries you may be required to do so. The > example I know best is, naturally, Norway. > > In Norway we have what is basically a government requirement for ISPs > to block child porn domains, using a list supplied by the police. A > decent description of the system, for those of you with a reading > knowledge of Norwegian, is here: > > http://no.wikipedia.org/wiki/Kripos'_barnepornofilter Would you please describe if brief for those who don't read in Norwegian the methods the major Norwegian ISPs use to block the CP domains? -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
On 10/11/2010 2:44 PM, Nuno Paquete wrote: Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from browsing what you want. If you want to block IP address access you have to use firewall, or if you are talking about http traffic and have a proxy, maybe you have to block there. That's why I completly agree this should not be blocked at DNS level. To nitpick: address-block-based filtering*could* be implemented in DNS. The same mechanisms that are used to prevent "rebinding" attacks -- e.g. BIND's *deny-answer-addresses* -- could theoretically be repurposed to strip addresses in certain "banned" ranges from DNS responses. Arguably this is a misuse/abuse of the feature. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello Matus, Mon, 11 Oct 2010 18:37:43 +0200 Matus UHLAR - fantomas wrote: > On 11.10.10 14:16, Alans wrote: >> Thanks Dave, yes i know about OpenDNS, I'm trying to imlement >> somehting kind of similar to that in a small scale. >> So i was wondering about Bind dns capabilities and may be third >> party stuffs that could integrate with bind dns in addition to the >> ip/website list. > > This is NOT something BIND (or any DNS server) should do. Blocking > web sites is business for web proxies, firewalls etc. Doing this > stuff at DNS level could lead to many surprises. Strongly agreed. And doing this brainf***ing stuff could lead to an unpredictable glitches too. "Render unto Caesar the things which are Caesar's, and unto God the things that are God's" (Matthew 22:21). -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hi. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. I definetly agree with this. In Norway we have what is basically a government requirement for ISPs to block child porn domains, using a list supplied by the police. Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from browsing what you want. If you want to block IP address access you have to use firewall, or if you are talking about http traffic and have a proxy, maybe you have to block there. That's why I completly agree this should not be blocked at DNS level. Nuno Paquete ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
> > Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting > > kind of similar to that in a small scale. > > So i was wondering about Bind dns capabilities and may be third party > > stuffs that could integrate with bind dns in addition to the ip/website > > list. > > This is NOT something BIND (or any DNS server) should do. Blocking web sites > is business for web proxies, firewalls etc. Doing this stuff at DNS level > could lead to many surprises. Unfortunately, in some countries you may be required to do so. The example I know best is, naturally, Norway. In Norway we have what is basically a government requirement for ISPs to block child porn domains, using a list supplied by the police. A decent description of the system, for those of you with a reading knowledge of Norwegian, is here: http://no.wikipedia.org/wiki/Kripos'_barnepornofilter This blocking is *in theory* voluntary - however, the government has made it quite clear that unless a "sufficiently high" number of the bigger ISPs agree to such blocking, the government will introduce laws which *require* the ISPs to do it. So much for voluntary. Of course, all this will do is prevent accidental surfing to domains on the list. Anybody who *wants* this content can simply run his own name server - and escape the blocking. So much for effectiveness. Oh yeah, there are also the usual problems of collateral damage, no well defined process around the maintenance of the list, etc. The four criteria proposed in this article: http://www.theregister.co.uk/2009/01/13/internet_regulation/ have clearly not been in the minds of the police / politicians that introduced the system. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Why not? OpenDNS is a good example i think. Also, i think as mentioned in Kal's email, DNS RPZ from isc is an approach to implement these functionalities at DNS level. We want to give individuals/customers access to their account to block what they want to block, something similar to OpenDNS but in a small scale. regards, Alans On 10/11/2010 07:37 PM, Matus UHLAR - fantomas wrote: On 11.10.10 14:16, Alans wrote: Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
On 11.10.10 14:16, Alans wrote: > Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting > kind of similar to that in a small scale. > So i was wondering about Bind dns capabilities and may be third party > stuffs that could integrate with bind dns in addition to the ip/website > list. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Alans wrote: > Hello, > > Is it possible for bind dns to check the queries, if the returned answer > is existed in a file that contains blacklisted IPs then block it? > > One more thing, from where we can get/buy updated lists of categorized > IPs/websites, > like Gaming, Porn, Social...? > > Thanks, > Alans > > > You really need a web proxy with filtering software(like squidGuard) and some block lists to do this. http://www.squidguard.org/blacklists.html ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. regards, Alans On 10/11/2010 02:06 PM, David Peall wrote: Have you looked at: http://www.opendns.com/ -- Dave On 11 October 2010 13:02, Alans wrote: Hello, Is it possible for bind dns to check the queries, if the returned answer is existed in a file that contains blacklisted IPs then block it? One more thing, from where we can get/buy updated lists of categorized IPs/websites, like Gaming, Porn, Social...? Thanks, Alans ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
On 11/10/10 1:02 PM, "Alans" wrote: > > Hello, > > Is it possible for bind dns to check the queries, if the returned answer > is existed in a file that contains blacklisted IPs then block it? DNS RPZ may do what you want. There is a patch on the isc.org website for 9.4,9.6 and 9.7.1-P2 Described in further detail here: ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt and here: http://www.isc.org/community/blog/201007/taking-back-dns-0 > One more thing, from where we can get/buy updated lists of categorized > IPs/websites, > like Gaming, Porn, Social...? > > Thanks, > Alans > > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind and blacklist IP file
Hello, Is it possible for bind dns to check the queries, if the returned answer is existed in a file that contains blacklisted IPs then block it? One more thing, from where we can get/buy updated lists of categorized IPs/websites, like Gaming, Porn, Social...? Thanks, Alans ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users