itojun
this day in 2007 dr jun-ichiro (itojun) hagino died. a gentle soul, an engineer's engineer, the ipv6 samurai, iab member, and fiat 500 lover. the v6 stack you're running could have descended from his netbsd one. http://www.itojun.org/ randy
Re: [EXTERNAL] Re: Charter DNS servers returning malware filtered IP addresses
I agree it actually is wise for them to offer a filtered service for those that want it but opt in for sure On Fri, Oct 27, 2023, 12:35 PM Bryan Fields wrote: > On 10/27/23 7:49 AM, John Levine wrote: > > But for obvious good reasons, > > the vast majority of their customers don't > > I'd argue that as a service provider deliberately messing with DNS is an > obvious bad thing. They're there to deliver packets. > -- > Bryan Fields > > 727-409-1194 - Voice > http://bryanfields.net > >
Re: Charter DNS servers returning malware filtered IP addresses
> > DNS isn’t the right place to attack this, IMHO. > ... > I’ve seen plenty of situations where the filters were just plain wrong and > if the end user didn’t actively choose that filtration, the target site may > be victimized without anyone knowing where to go to complain. Not much different from IP Geolocation. Probably not the right solution to many things, but people do it anyways., often causing problems that people don't know where to go to complain. On Fri, Oct 27, 2023 at 10:14 PM Owen DeLong via NANOG wrote: > >> DNS isn’t the right place to attack this, IMHO. > > > > Why not (apart from a purity argument), and where should it happen > instead? As others pointed out, network operators have a vested interest in > protecting their customers from becoming victims to malware. > > > Takedowns of the hostile target sites. > > You dismiss the purity argument, but IMHO, there’s merit to the purity > argument. > > Any such DNS filtration, if provided, should be provided on an opt-in > basis, not as a default. > > I’ve seen plenty of situations where the filters were just plain wrong and > if the end user didn’t actively choose that filtration, the target site may > be victimized without anyone knowing where to go to complain. > > Owen > >
Re: Charter DNS servers returning malware filtered IP addresses
It appears that said: >* Owen DeLong [Sat 28 Oct 2023, 01:00 CEST]: >>If it’s such a reasonable default, why don’t any of the public >>resolvers (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so? > >It's generally a service that's offered for money. Quad9 definitely >offer it: https://www.quad9.net/service/threat-blocking Not really for money. Quad9, Cloudflare, and OpenDNS provide filtered DNS for free. There are expensive versions for enterprise networks but there's plenty of malware filtering DNS for users. I'm with you about the purity argument. While it certainly would be possible to use DNS filtering for political reasons (the "family friendly" versions arguably do that), the amount of malware and phish is a large and real threat. By the way, don't miss Interisle's new report on the cybercrime supply chain. They (we, actually) found five millions domains used in crime of at least a million were registered only to do crime. https://interisle.net/CybercrimeSupplyChain2023.html R's, John
Re: [EXTERNAL] DNS filtering in practice, Re: Charter DNS servers returning malware filtered IP addresses
It appears that Michael Thomas said: >> If you're one of the small minority of retail users that knows enough >> about the technology to pick your own resolver, go ahead. But it's >> a reasonable default to keep malware out of Grandma's iPad. > >How does this line up with DoH? Aren't they using hardwired resolver >addresses? I would hope they are not doing anything heroic. Generally, no. I believe that Chrome probes whatever resolver is configured into the system and uses that if it does DoH or DoT. At one point Firefox was going to send everything to their favorite DoH resolver but they got a great deal of pushback from people who pointed out that they had policies on their networks and they'd have to ban Firefox. Firefox responded with a lame hack where you can tell your cache to respond to some name and if so Firefox will use your resolver. R's, John
Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses
If it’s such a reasonable default, why don’t any of the public resolvers (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so? Oh my, you walked right into that one. https://www.quad9.net/service/threat-blocking/ https://blog.cloudflare.com/introducing-1-1-1-1-for-families/ I'm also surprised nobody seems familiar with Vixie's Response Policy Zones, a widely supported way to put DNS filtering rules into your own DNS cache. https://www.first.org/resources/papers/aa-dec2021/Protective-DNS-a-Boris-Slides.pdf Regards, John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
