Re: wikileaks dns (was Re: Blocking International DNS)
* Jack Bates (jba...@brightok.net) wrote: Given These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites. I'd say they had DOS issues with their nameservers. They can't be expected to let their other domains go down in efforts to protect a single domain. This is then important information that should be spelled out in their terms of service. 'If your domain generate to much traffic we will terminate your service'.. It might very well be reasonable for a free service to have these restrictions but as a customer it could be an important differentiator when choosing service provider. ..assuming that the DOS actually took place.. (tinfoil hat on..:) /Joakim I'm guessing they weathered the problem somewhat, as they actually gave 24h notice. However, excessive loads and constant monitoring and protective measures on a free service would definitely be something a company would want to stop. Jack
Re: wikileaks dns (was Re: Blocking International DNS)
On Fri, Dec 03, 2010 at 12:52:29AM -0500, Ken Chase k...@sizone.org wrote a message of 24 lines which said: Anyone have records of what wikileaks (RR, i assume) A record was? 91.121.133.41 46.59.1.2 Translated into an URL, the first one does not work (virtual hosting, may be) but the second does. I've found also, thanks to a new name resolution protocol, TDNS (Tweeter DNS), 213.251.145.96, which works. I should have queried my favourite open rDNS servers before they expired, dig A wikileaks.org backup.txt (from cron) is a useful method. Other possible solution would be a DNSarchive, in the same way there is a WebArchive. Any volunteer?
Re: wikileaks dns (was Re: Blocking International DNS)
wikileaks.no and wikleaks.se seem to accept requests on port 80 but appear to be having troubles generating responses, perhaps just overloaded. On Dec 3, 2010, at 12:45 AM, Stephane Bortzmeyer wrote: On Fri, Dec 03, 2010 at 12:52:29AM -0500, Ken Chase k...@sizone.org wrote a message of 24 lines which said: Anyone have records of what wikileaks (RR, i assume) A record was? 91.121.133.41 46.59.1.2 Translated into an URL, the first one does not work (virtual hosting, may be) but the second does. I've found also, thanks to a new name resolution protocol, TDNS (Tweeter DNS), 213.251.145.96, which works. I should have queried my favourite open rDNS servers before they expired, dig A wikileaks.org backup.txt (from cron) is a useful method. Other possible solution would be a DNSarchive, in the same way there is a WebArchive. Any volunteer?
Re: wikileaks dns (was Re: Blocking International DNS)
... ... The termination of services was effected pursuant to, and in accordance with, the EveryDNS.net Acceptable Use Policy. the claim is that being ddos'd is an aup violation. go figure.
RE: wikileaks dns (was Re: Blocking International DNS)
I guess the USG's cyberwar program does work (very dryly said). -Original Message- From: Paul Ferguson [mailto:fergdawgs...@gmail.com] Sent: Friday, December 03, 2010 1:39 AM To: Jack Bates Cc: North American Network Operators Group Subject: Re: wikileaks dns (was Re: Blocking International DNS) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Dec 2, 2010 at 11:29 PM, Jack Bates jba...@brightok.net wrote: On 12/2/2010 11:26 PM, Randy Bush wrote: so, if the site to which a dns entry points suffers a ddos, everydns will no longer serve the domain. i hope they apply this policy even handedly to all sufferers of ddos. Given These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites. I'd say they had DOS issues with their nameservers. They can't be expected to let their other domains go down in efforts to protect a single domain. I'm guessing they weathered the problem somewhat, as they actually gave 24h notice. However, excessive loads and constant monitoring and protective measures on a free service would definitely be something a company would want to stop. FYI: http://www.techdirt.com/articles/20101202/22322512099/wikileaks-says-its-si te-has-been-killed.shtml - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFM+J6Vq1pz9mNUZTMRAocNAKCxe3rX9bz1L7tliKdCJfPOvZZybACgrrRF w3whP9J/zHlrWa/yJDMeRQs= =ZT0w -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: wikileaks dns (was Re: Blocking International DNS)
On Friday 03 December 2010 13:22:19 Frank Bulk wrote: I guess the USG's cyberwar program does work (very dryly said). They missed ;) http://wikileaks.ch http://twitter.com/wikileaks
Re: wikileaks dns (was Re: Blocking International DNS)
On Fri, Dec 3, 2010 at 7:22 AM, Frank Bulk frnk...@iname.com wrote: I guess the USG's cyberwar program does work (very dryly said). Perhaps the PRC's works too. -J
Re: wikileaks dns (was Re: Blocking International DNS)
On 03/12/10 00:52 -0500, Ken Chase wrote: On Fri, Dec 03, 2010 at 02:26:35PM +0900, Randy Bush said: so, if the site to which a dns entry points suffers a ddos, everydns will no longer serve the domain. i hope they apply this policy even handedly to all sufferers of ddos. if not, as a registrar, i guess i can no longer accept registrations where everydns is the ns delegatee. Let us know if they deviate from this isometric application of policy. I'll be happy to encourage people not to use them. Anyone have records of what wikileaks (RR, i assume) A record was? I should have queried my favourite open rDNS servers before they expired, assuming that the TTL was long enough (or modified to be long by a local cache policy). Quick, someone power up their hibernated laptop with the network unplugged and ping wikileaks (assuming you looked at it recently before hiberation, before it was pulled... :) Not sure that works in any windows (or other OS's for that matter) however. Their A records on Sunday were: #46.51.186.222 wikileaks.org #46.151.171.90 wikileaks.org -- Dan White
Re: wikileaks dns (was Re: Blocking International DNS)
On Fri, Dec 03, 2010 at 08:27:57AM -0600, Dan White dwh...@olp.net wrote a message of 28 lines which said: Their A records on Sunday were: (No longer working.) Several people are keeping track of working IP addresses and avertise them in the DNS (wikileaks.something.example). Other have full mirrors. A current list: http://etherpad.mozilla.org:9000/wikileaks copy it, so you can access the DNS mirrors even if mozilla.org is taken down... operationalIt's a very interesting exercice in resiliency./operational
RE: wikileaks dns (was Re: Blocking International DNS)
I guess the USG's cyberwar program does work (very dryly said). It was reported in the last couple of days that Wikileaks could have been taken off the net but the govt decided not to do it. As for a member of Congress pressuring Amazon, what else would one expect? If a site has content that the USG might see as damaging, and if a US company is facilitating the distribution of that content, sure, I would expect members of that government to apply pressure but I have no idea what that pressure might have consisted of. But think about it ... if someone had, for example, deep internal corporate confidential financial information on a company and published that on the web, that company might also attempt to pressure the publishing entity to stop it. To expect someone not to pressure someone to remove potentially damaging material is probably naïve.
Re: wikileaks dns (was Re: Blocking International DNS)
For the record, I would never remove a customer because a congressman or senator asked for it, however, I would deny service to persons with outstanding felony warrant(s). Jeff On Fri, Dec 3, 2010 at 12:38 PM, George Bonser gbon...@seven.com wrote: I guess the USG's cyberwar program does work (very dryly said). It was reported in the last couple of days that Wikileaks could have been taken off the net but the govt decided not to do it. As for a member of Congress pressuring Amazon, what else would one expect? If a site has content that the USG might see as damaging, and if a US company is facilitating the distribution of that content, sure, I would expect members of that government to apply pressure but I have no idea what that pressure might have consisted of. But think about it ... if someone had, for example, deep internal corporate confidential financial information on a company and published that on the web, that company might also attempt to pressure the publishing entity to stop it. To expect someone not to pressure someone to remove potentially damaging material is probably naïve. -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: wikileaks dns (was Re: Blocking International DNS)
On Fri, Dec 3, 2010 at 12:38 PM, George Bonser gbon...@seven.com wrote: As for a member of Congress pressuring Amazon, what else would one expect? If a site has content that the USG might see as damaging, and if a US company is facilitating the distribution of that content, sure, I would expect members of that government to apply pressure but I have no idea what that pressure might have consisted of. It may be naive, but I expect due process from the USG. Just sayin' -Randy Fischer
Re: wikileaks dns (was Re: Blocking International DNS)
Other possible solution would be a DNSarchive, in the same way there is a WebArchive. Any volunteer? The RIPE REX tool provides something like this, at least for the reverse tree. http://rex.ripe.net/ http://albatross.ripe.net/cgi-bin/rex.pl?type=allres=213.251.145.0/24stime=2009-12-02etime=2010-12-02page=dnscf=1af=1 Of course, it appears that none of the three cabelgate IP addresses you cite have reverse records provisioned that point to wikileaks (just bahnhof.se and ovh.net). --Richard
Re: wikileaks dns (was Re: Blocking International DNS)
The patriot act did away with due process. On 12/3/2010 3:10 PM, Randy Fischer wrote: On Fri, Dec 3, 2010 at 12:38 PM, George Bonsergbon...@seven.com wrote: As for a member of Congress pressuring Amazon, what else would one expect? If a site has content that the USG might see as damaging, and if a US company is facilitating the distribution of that content, sure, I would expect members of that government to apply pressure but I have no idea what that pressure might have consisted of. It may be naive, but I expect due process from the USG. Just sayin' -Randy Fischer
Re: wikileaks dns (was Re: Blocking International DNS)
To expect someone not to pressure someone to remove potentially damaging material is probably naïve. i believe that the material was not stored on amazon, only torrent pointers. and to cave to that pressure absent of actual legal requirement cost amazon my business. randy
Re: wikileaks dns (was Re: Blocking International DNS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yo Curtis! On Fri, 3 Dec 2010, Curtis Maurand wrote: The patriot act did away with due process. Yep. More on that today: http://www.wired.com/threatlevel/2010/12/realtime/ RGDS GARY - --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701 g...@rellim.com Tel:+1(541)382-8588 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFM+Vm0BmnRqz71OvMRAsPlAJ9erzScO4+Lsixa3Rk33OS9+X0tPQCeJvqh TASxqIjnaNm+CDVLpS+UEcs= =uFTG -END PGP SIGNATURE-
Re: Blocking International DNS
On Wednesday, December 01, 2010 10:57:40 pm Mark Andrews wrote: And there would have been total confusion if there had been multiple uunet's and a few other well known nodes. UUCP had anchor points. Just different ones to the DNS. Yeah, and with virtually everyone's bangpaths starting with uunet or one of those other anchors (I seem to rememer bangpaths starting at kremvax, but perhaps I'm senile...), it's still a hierarchy. I had a site in the maps years ago, and even had 'registered' a pseudo '.uucp' domain remember those? That said, it did work pretty well. SMTP and direct MX was supposed to make all that go away, and now we're talking about it again. Do I need to go back to using smail 2.5 to do mail routing? :-) Web browsing using uucico was rather, uh, interesting (but doable, thanks to the virtually text-only web at the time, and that assumed the target node/server was online at that time). Not really scalable to broadband, as part of the blockability issue is IP and IP routing hijackability (to coin a contrived phrase). It was a different world, especially on the user side. If you had multiple dialin accounts under the uucp system you could very easily bypass many blocks simply using dialup; but dialup is just too slow for today's content.
Re: Blocking International DNS
On Wednesday, December 01, 2010 10:57:40 pm Mark Andrews wrote: And there would have been total confusion if there had been multiple uunet's and a few other well known nodes. UUCP had anchor points. Just different ones to the DNS. Yeah, and with virtually everyone's bangpaths starting with uunet or one of those other anchors (I seem to rememer bangpaths starting at kremvax, but perhaps I'm senile...), it's still a hierarchy. boy, you folk sure remember a different uucp network than i do. randy
Re: Blocking International DNS
boy, you folk sure remember a different uucp network than i do. Backbone Map from 1984 /-\ | | |mcvaxphilabs | | // | | tektronix-decvaxlinus | | | \| | | | | uw-beaver | | | | | | | | | | | ubc-vision seismo--harpo---ulysses | | | | | | | | | | | | alberta---(-ihnp4 hou3c | | | || | | | | | || we13burl utzoo | | || | | | | hplabs-haoclydewatmath | | || | | sdcrdcf---sdcsvax-akgua--mcnc-/ pre uunet, we connected to seismo Jorge
Re: Blocking International DNS
/-\ | | |mcvaxphilabs | | // | | tektronix-decvaxlinus | | | \| | | | | uw-beaver | | | | | | | | | | | ubc-vision seismo--harpo---ulysses | | | | | | | | | | | | alberta---(-ihnp4 hou3c | | | || | | | | | || we13burl utzoo | | || | | | | hplabs-haoclydewatmath | | || | | sdcrdcf---sdcsvax-akgua--mcnc-/ pre uunet, we connected to seismo [ why did jaap call this europe 1984 in his preso? ] and seismo kinda became uunet and oresoft was off tektronix. and m2xenix was off oresoft. and ... and unido was ... so, what's the point? the uucp network was pretty ad hoc and anarchic, aside from horrific phone bills. and anyone who thinks that the fidonet was not hierarchic is not taking their meds. randy
Re: Blocking International DNS
and anyone who thinks that the fidonet was not hierarchic is not taking their meds. yes, the bad bad node ops :) bye, Ingo
Re: Blocking International DNS
On Thursday, December 02, 2010 11:19:33 am Randy Bush wrote: boy, you folk sure remember a different uucp network than i do. Well, I got in the uucp thing rather late, hooking up in 1991 or so. By then to get e-mail through uucico it was common practice to bangpath off uunet, or some other 'known' host that pathalias/smail could find in the maps. Or worse, to use a bangpath/FQDN frankenaddress. For news over uucp, at least with C-News, which I ran for a while, not so much a big deal as long as you properly passed the post upstream. Usenet is still the standard for decentralized information sharing, IMHO, and for better or for worse. To get files, you needed to know the path to the file; while you could bangpath all the way to the archive and uucp the file directly, it was more common to start at a known node (like uunet or decvax) and path from there, unless you had a full pathalias-aware uucp (I forget if HoneyDanBer did that or not, too many years since doing that). Web browsing through uucico was just a special case of getting a file, at least in the implementation I used. But would pathalias scale to billions of hosts? I don't know the answer; I know on the miniscule Apollo DN3500's I used at the time the pathalias part of the processing frequently took longer than the actual transfer. And even in those days of mostly text web pages, NCSA Mosaic took longer to render the pages into the pads than the other two parts.
Re: Blocking International DNS
btw, i spent quite a bit of my time with the berkman center researchers working on accountability and transparency on just the issue of how users can be represented and i think it a hard problem. I bet it is not a trivial enterprise to put together and give shape to an organization like ICANN. My biggest concern is that somewhere in the painful process of building this organization something got completely derailed from its original intents. I'll not deny that there are positives and some accomplishments, not trying to do a substantial balance check, but on a 50Kfeet quick snapshot, I see ICANN as a non-profit org with a ~$60+M annual budget, and I always rise this question on my mind: what it actually produces at that cost for the common good of the Internet community ? (lets make clear that the domain registrants are the ones mostly paying for all this). Yes, it has the contract (by now) from DoC to provide the IANA services, it has some DNS operational and coordination role, the folks involved with the DNSSEC implementation did a great job, but the bulk of the budget is not going there, most of it goes to finance the smoke and mirrors processes and the traveling circus. No wonder why in the letter sent today by DoC/NTIA to ICANN, on the very first line Asisstant Secretary Strickling says I am writing to express my concern regarding the apparent failure of ICANN to carry out its obligations as specified in the Affirmation of Commitments ... http://forum.icann.org/lists/5gtld-guide/pdf4SSmb5oOd5.pdf I believe that there is a lot of people very concerned with what ICANN is doing and what it is supposed to do, and trying to fix it from within is not an easy task either, getting involved in ICANN's processes and ecosystem is very demanding, and unless you have a big chunk of dough in the bank or are being paid (which brings on front line the interests of who pays you) there is not an easy way to make free volunteer work effective. I guess we are sliding OT for this list ...sigh Best Regards Jorge
wikileaks dns (was Re: Blocking International DNS)
All our topics of discussion are merging... (soon: does Wikileaks run on 208V? :) http://www.everydns.com/ right hand side. (sorry to shift the discussion off of uucp... long live sizone.uucp...) /kc -- Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
Re: wikileaks dns (was Re: Blocking International DNS)
On Thu, Dec 2, 2010 at 10:05 PM, Ken Chase k...@sizone.org wrote: All our topics of discussion are merging... (soon: does Wikileaks run on 208V? :) If they keep going that way, soon they will be running on nuclear power from the hidden centrifuges in some cave. Cheers Jorge
Re: wikileaks dns (was Re: Blocking International DNS)
On Thu, Dec 02, 2010 at 10:16:23PM -0600, Jorge Amodio said: On Thu, Dec 2, 2010 at 10:05 PM, Ken Chase k...@sizone.org wrote: All our topics of discussion are merging... (soon: does Wikileaks run on 208V? :) If they keep going that way, soon they will be running on nuclear power from the hidden centrifuges in some cave. or p2p or tor or torrents of *.tbz's the other day bloomberg was having issues in their db only for stories about wikileaks and assange as per my quick testing, quite annoying, are major news mediae seeing ddos attempts at censorship (or just leaking at the seams infrastructure issues with the big hits on the topic?) /kc -- Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
Re: Blocking International DNS
Jorge, On Dec 2, 2010, at 6:02 PM, Jorge Amodio wrote: I bet it is not a trivial enterprise to put together and give shape to an organization like ICANN. My biggest concern is that somewhere in the painful process of building this organization something got completely derailed from its original intents. I suppose it depends on your view of its original intents (and what you mean by ICANN). I believe that there is a lot of people very concerned with what ICANN is doing and what it is supposed to do, and trying to fix it from within is not an easy task either, getting involved in ICANN's processes and ecosystem is very demanding, and unless you have a big chunk of dough in the bank or are being paid (which brings on front line the interests of who pays you) there is not an easy way to make free volunteer work effective. My view (having been on both sides now) is that despite numerous missteps, particularly early in its life, ICANN really is trying to do the right thing. There are lots of challenges, not least of which is that given ICANN's structure, the definition of the right thing depends on who participates most actively in the myriad ICANN processes. I guess we are sliding OT for this list ...sigh Yep, and that's unfortunate as folks who participate in NANOG generally have opinions that could counterbalance the folks who usually show up at ICANN meetings. Regards, -drc
Re: wikileaks dns (was Re: Blocking International DNS)
On Dec 2, 2010, at 11:05 PM, Ken Chase wrote: All our topics of discussion are merging... (soon: does Wikileaks run on 208V? :) http://www.everydns.com/ right hand side. (sorry to shift the discussion off of uucp... long live sizone.uucp...) Seems to be down here http://www.everydns.com/ EveryDNS.net provided domain name system (DNS) services to the wikileaks.org domain name until 10PM EST, December 2, 2010, when such services were terminated. As with other users of the EveryDNS.net network, this service was provided for free. The termination of services was effected pursuant to, and in accordance with, the EveryDNS.net Acceptable Use Policy. [TME-MBP-2010:~] tme% dig wikileaks.org ; DiG 9.6.0-APPLE-P2 wikileaks.org ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 37692 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;wikileaks.org. IN A ;; Query time: 13 msec ;; SERVER: 63.105.122.34#53(63.105.122.34) ;; WHEN: Thu Dec 2 23:47:19 2010 ;; MSG SIZE rcvd: 31 Regards Marshall /kc -- Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
Re: wikileaks dns (was Re: Blocking International DNS)
[TME-MBP-2010:~] tme% dig wikileaks.org ; DiG 9.6.0-APPLE-P2 wikileaks.org ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 37692 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;wikileaks.org. IN A ;; Query time: 13 msec ;; SERVER: 63.105.122.34#53(63.105.122.34) ;; WHEN: Thu Dec 2 23:47:19 2010 ;; MSG SIZE rcvd: 31 shows gone for me too . btw, excuse the blunt, but for an organization like this kind of extremely stupid to have all the secondaries with the same provider no ? -J
Re: wikileaks dns (was Re: Blocking International DNS)
Everydns says on their page: EveryDNS.net provided domain name system (DNS) services to the wikileaks.org domain name until 10PM EST, December 2, 2010, when such services were terminated. As with other users of the EveryDNS.net network, this service was provided for free. The termination of services was effected pursuant to, and in accordance with, the EveryDNS.net Acceptable Use Policy. More specifically, the services were terminated for violation of the provision which states that Member shall not interfere with another Member's use and enjoyment of the Service or another entity's use and enjoyment of similar services. The interference at issues arises from the fact that wikileaks.org has become the target of multiple distributed denial of service (DDOS) attacks. These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites. Thus, last night, at approximately 10PM EST, December 1, 2010 a 24 hour termination notification email was sent to the email address associated with the wikileaks.org account. In addition to this email, notices were sent to Wikileaks via Twitter and the chat function available through the wikileaks.org website. Any downtime of the wikileaks.org website has resulted from its failure to use another hosted DNS service provider. -J
Re: wikileaks dns (was Re: Blocking International DNS)
Sort of weird theory, but it sounds really strange that knowing the kind of reactions that one could expect due the content being published in the site that they have such a naive dns setup for that given domain. Unless what you are looking for is actually getting booted so you can cry loud (which they already did via twitter few mins ago), hey the US killed our domain. BTW, the domain still shows in the PIR WHOIS. -J
Re: wikileaks dns (was Re: Blocking International DNS)
On Fri, Dec 03, 2010 at 02:26:35PM +0900, Randy Bush said: so, if the site to which a dns entry points suffers a ddos, everydns will no longer serve the domain. i hope they apply this policy even handedly to all sufferers of ddos. if not, as a registrar, i guess i can no longer accept registrations where everydns is the ns delegatee. Let us know if they deviate from this isometric application of policy. I'll be happy to encourage people not to use them. Anyone have records of what wikileaks (RR, i assume) A record was? I should have queried my favourite open rDNS servers before they expired, assuming that the TTL was long enough (or modified to be long by a local cache policy). Quick, someone power up their hibernated laptop with the network unplugged and ping wikileaks (assuming you looked at it recently before hiberation, before it was pulled... :) Not sure that works in any windows (or other OS's for that matter) however. /kc -- Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
Re: wikileaks dns (was Re: Blocking International DNS)
On 12/2/2010 11:26 PM, Randy Bush wrote: so, if the site to which a dns entry points suffers a ddos, everydns will no longer serve the domain. i hope they apply this policy even handedly to all sufferers of ddos. Given These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites. I'd say they had DOS issues with their nameservers. They can't be expected to let their other domains go down in efforts to protect a single domain. I'm guessing they weathered the problem somewhat, as they actually gave 24h notice. However, excessive loads and constant monitoring and protective measures on a free service would definitely be something a company would want to stop. Jack
Re: wikileaks dns (was Re: Blocking International DNS)
On 3/12/10 3:05 PM, Ken Chase wrote: All our topics of discussion are merging... (soon: does Wikileaks run on 208V? :) http://www.everydns.com/ right hand side. (sorry to shift the discussion off of uucp... long live sizone.uucp...) There is a list of mirror sites here: http://wikileaks.info/ There are three IPv4 addresses listed for the cablegate site: 91.194.60.90, 91.194.60.112 and 204.236.131.131. Of these, the first one is not responding (from Australia), the third is an Amazon IP and won't host the site now. The second one is responding, but is not up to date with the full release so far (it has 294 cables, up to November 30). I'm surprised they don't have a proper mirror using a .se, .ch or .is domain. Regards, Ben signature.asc Description: OpenPGP digital signature
Re: wikileaks dns (was Re: Blocking International DNS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, Dec 2, 2010 at 11:29 PM, Jack Bates jba...@brightok.net wrote: On 12/2/2010 11:26 PM, Randy Bush wrote: so, if the site to which a dns entry points suffers a ddos, everydns will no longer serve the domain. i hope they apply this policy even handedly to all sufferers of ddos. Given These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites. I'd say they had DOS issues with their nameservers. They can't be expected to let their other domains go down in efforts to protect a single domain. I'm guessing they weathered the problem somewhat, as they actually gave 24h notice. However, excessive loads and constant monitoring and protective measures on a free service would definitely be something a company would want to stop. FYI: http://www.techdirt.com/articles/20101202/22322512099/wikileaks-says-its-si te-has-been-killed.shtml - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFM+J6Vq1pz9mNUZTMRAocNAKCxe3rX9bz1L7tliKdCJfPOvZZybACgrrRF w3whP9J/zHlrWa/yJDMeRQs= =ZT0w -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Blocking International DNS
the more i think about this, the more i am inclined to consider a second trusted root not (easily) attackable by the usg, who owns the root now, or the acta vigilantes. as dissent becomes less tolerated, let alone supported, we may want to attempt to ensure it in our deployments. randy
Re: Blocking International DNS
On 12/01/2010 10:41 PM, Randy Bush wrote: the more i think about this, the more i am inclined to consider a second trusted root not (easily) attackable by the usg, who owns the root now, or the acta vigilantes. as dissent becomes less tolerated, let alone supported, we may want to attempt to ensure it in our deployments. randy Before we do this, I do have some other questions: Wasn't this exactly why people suggested ICANN should just move to Switzerland and become an independent international organization ? Would this still be possibility ? An other question, how much does ICANN really have to say about the content of the root ? Isn't their a long process to get something in/out of the root and isn't it the root operators that decide to actually deploy the zone ?
Re: Blocking International DNS
Randy Bush wrote: the more i think about this, the more i am inclined to consider a second trusted root not (easily) attackable by the usg, who owns the root now, or the acta vigilantes. as dissent becomes less tolerated, let alone supported, we may want to attempt to ensure it in our deployments. randy Might be of interest: http://digitizor.com/2010/12/01/the-pirate-bay-co-founder-starting-a-p2p-based-dns-to-take-on-icann/
Re: Blocking International DNS
On Dec 1, 2010, at 11:41 AM, Randy Bush wrote: the more i think about this, the more i am inclined to consider a second trusted root not (easily) attackable by the usg, who owns the root now, or the acta vigilantes. as dissent becomes less tolerated, let alone supported, we may want to attempt to ensure it in our deployments. Wouldn't this simply change the focus of who can attack from the USG (which, as far as I am aware, has not attacked the root) to some other government (or worse, the UN)? Given a handle, folks are going to want to grab it when they feel a need to control, regardless of who the folks are. It'd be nice to remove the handle, but that appears to be a very hard problem... Regards, -drc
Re: Blocking International DNS
On Dec 1, 2010, at 8:18 42PM, David Conrad wrote: On Dec 1, 2010, at 11:41 AM, Randy Bush wrote: the more i think about this, the more i am inclined to consider a second trusted root not (easily) attackable by the usg, who owns the root now, or the acta vigilantes. as dissent becomes less tolerated, let alone supported, we may want to attempt to ensure it in our deployments. Wouldn't this simply change the focus of who can attack from the USG (which, as far as I am aware, has not attacked the root) to some other government (or worse, the UN)? Given a handle, folks are going to want to grab it when they feel a need to control, regardless of who the folks are. It'd be nice to remove the handle, but that appears to be a very hard problem... I think that the Pirate Bay announcement was triggered by http://www.npr.org/templates/story/story.php?storyId=131678432 plus the COICA bill (http://www.eff.org/coica) -- though it, at least, appears to be dead for this session and who knows what the new Congress will do. That said, I think the problem is primarily political, not technical. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: Blocking International DNS
the more i think about this, the more i am inclined to consider a second trusted root not (easily) attackable by the usg, who owns the root now, or the acta vigilantes. as dissent becomes less tolerated, let alone supported, we may want to attempt to ensure it in our deployments. Wouldn't this simply change the focus of who can attack from the USG (which, as far as I am aware, has not attacked the root) see smb's url re rightsholders having alleged bad sites blocked. randy
Re: Blocking International DNS
On Dec 1, 2010, at 4:41 PM, Randy Bush wrote: the more i think about this, the more i am inclined to consider a second trusted root not (easily) attackable by the usg, who owns the root now, or the acta vigilantes. as dissent becomes less tolerated, let alone supported, we may want to attempt to ensure it in our deployments. Dear Randy; I am beginning to get the same impression, but I see difficulties moving forward. International agencies come to mind (the ITU or WIPO), as they are not subject to government warrants, but I think that the existing ones have their own issues. And I have too many bad memories of Alternic to feel comfortable about Peter Sunde's P2P ideas. Balancing all of that, internationalizing ICANN may be the best solution. Regards Marshall randy
Re: Blocking International DNS
Wasn't this exactly why people suggested ICANN should just move to Switzerland and become an independent international organization ? Would this still be possibility ? You can move ICANN to Mars but unless you move the root, IANA is and will still be under USG control as it is today. Also ICANN didn't touch any operational knobs related to the latest domain names seized by DHS-ICE. - J
Re: Blocking International DNS
internationalizing ICANN may be the best solution. for sure! if it is truly removed from the states and not put in genf. gedanken experiment: who would i trust more to not interfere with **other people's** data, the usg, icann, the itu, or the pirate bay party? my conclusion makes me very sad. but playing with the current dns is a short term solution. in the long run, centralization/rootification of control is equivalent to monopoly. and we have seen time and again that this leads to despotism, often cloaked in false protectionism and false we represent the community.. we have a significant failure by the security community in that they keep giving us hierarchic models, pgp being a notable exception. randy
Re: Blocking International DNS
but playing with the current dns is a short term solution. in the long run, centralization/rootification of control is equivalent to monopoly. and we have seen time and again that this leads to despotism, often cloaked in false protectionism and false we represent the community.. we have a significant failure by the security community in that they keep giving us hierarchic models, pgp being a notable exception. http://lauren.vortex.com/archive/000787.html h
Re: Blocking International DNS
On Dec 2, 2010, at 10:10 AM, Randy Bush wrote: we have a significant failure by the security community in that they keep giving us hierarchic models, pgp being a notable exception. http://en.wikipedia.org/wiki/PNRP --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar.
Re: Blocking International DNS
And I have too many bad memories of Alternic to feel comfortable about Peter Sunde's P2P ideas. IMHO, there is a basic and fundamental flaw on many of the alternate schemes. The current DNS ecosystem has been feeding the pockets of many for many years and became what a ~$7B? industry ? many folks are making a living out of it, so any alternate solution that doesn't take seriously in account the economic side will encounter high resistance to change. Also, who you will really trust to run it ? Balancing all of that, internationalizing ICANN may be the best solution. ICANN is not the problem. It is itself a problem because over the years instead of being a technical coordinator for names and numbers became the playground and clearinghouse for IP (Intellectual Property) groups, all sorts of color, sizes and shapes of attorneys milking from the DNS ecosystem and Internet Governance wanna be politiks. Also while different segments may have some level of participation (including folks that claim they represent the users which they do not) by design ICANN is a membership less organization so the multi stake holder model is a lie and the bottom up process when the bottom does not have the same level of resources to participate as some of the big corp/lobby groups, ends being a fiasco. With the current architecture what you need to internationalize is IANA, but who you will trust with that ? ITU ? As I commented in other forums, I believe that what we need is a novel and well thought resource directory and location service/protocol where central authority and uniqueness are not fundamental requirements, and as said before something that on the long run can be monetized in a way that creates an economic incentive for people to use it. Meanwhile, as Randy said, our only option is to keep dealing with the current system. Regards Jorge
Re: Blocking International DNS
Also, who you will really trust to run it ? The UUCP network chugged along quite nicely for many years without any central authority. (Pathalias and the maps weren't an authority, just a hint.) --lyndon
Re: Blocking International DNS
http://lauren.vortex.com/archive/000787.html I see no drafts, no white or any color papers, no research, no background, good intentions and a napkin list of specs/requirements, no substance. -J
Re: Blocking International DNS
*wonders where his fidonet archives are. dusty. Any system needs to be designed to be open to anyone at any level of the economic chart and a minimum of technical knowledge to implement. This does not necessarily need to encompass the identification requirements for commerce, that may well become a separate system. cheers Jeff On Wed, Dec 1, 2010 at 7:42 PM, Lyndon Nerenberg (VE6BBM/VE7TFX) lyn...@orthanc.ca wrote: Also, who you will really trust to run it ? The UUCP network chugged along quite nicely for many years without any central authority. (Pathalias and the maps weren't an authority, just a hint.) --lyndon
Re: Blocking International DNS
Steve, On Dec 1, 2010, at 3:35 PM, Steven Bellovin wrote: Wouldn't this simply change the focus of who can attack from the USG (which, as far as I am aware, has not attacked the root) to some other government (or worse, the UN)? Given a handle, folks are going to want to grab it when they feel a need to control, regardless of who the folks are. It'd be nice to remove the handle, but that appears to be a very hard problem... I think that the Pirate Bay announcement was triggered by http://www.npr.org/templates/story/story.php?storyId=131678432 Which is, of course, unrelated to ICANN (see http://domainincite.com/icann-had-no-role-in-seizing-torrent-domains/) and is a result of VeriSign following US law in the management of two of the top-level domains they operate. plus the COICA bill (http://www.eff.org/coica) Yeah, COICA is a barrel of fun. As is LOPPSI-2 in France and the equivalent regulations in places like Sweden, Germany, etc. However, my impression (but will admit not having looked into this very much) is that the guy from Pirate Bay is merely pissed off because he lost a UDRP complaint when he obtained the IFPI.COM domain after the International Federation of the Phonograph Industry let it expire, misunderstood (perhaps purposefully) what happened at VeriSign, and decided to capitalize on it. That said, I think the problem is primarily political, not technical. Right, but that wasn't what I was questioning. I suspect that no matter what legal venue you put something as tasty as the control of the DNS, there will be folks who will attempt to exercise that control for their own political purposes. Even internationalizing it doesn't seem to be a good idea to me (based on my impression of how politics get involved in places like the ITU). I'd love to see a non-hierarchical naming system that didn't suck more than the DNS, but as I said, it seems that's a very hard problem... Regards, -drc
Re: Blocking International DNS
the more i think about this, the more i am inclined to consider a second trusted root not (easily) attackable by the usg, who owns the root now, This particular domain grab had nothing to do with the root or ICANN. If you look at the name servers and WHOIS of the domains that were seized, you can easily see that the USG served papers on Verisign, who did what the papers told them to, because they're the .COM registry. Anyone who registers a .COM really shouldn't be surprised to find out that Verisign is headquartered in California, and is 100% subject to US law, not to mention still having a side agreement with DoC about .COM due to its history. For several decades the USG has made it crystal clear that they do not mess with ccTLDs, not even ones for countries they don't like such as .CU and .IR. If you want a USG-proof domain, use a ccTLD. I am somewhat more concerned about the possiblity that the government would have a mandatory do-not-resolve list for networks in the US. That would be unlikely to stand up in court, viz. the quick failure of the Pennsylvania child porn IP blacklist, but the process would be painful while it unfolded. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly
Re: Blocking International DNS
For several decades the USG has made it crystal clear that they do not mess with ccTLDs, not even ones for countries they don't like such as .CU and .IR. possibly clear to you. the factual experience is that this statement is patently false to those dealing with those particular cctlds. randy
Re: Blocking International DNS
Randy, Can you cite specific examples of USG interfering with ccTLDs? Jeff On Wed, Dec 1, 2010 at 11:53 PM, Randy Bush ra...@psg.com wrote: For several decades the USG has made it crystal clear that they do not mess with ccTLDs, not even ones for countries they don't like such as .CU and .IR. possibly clear to you. the factual experience is that this statement is patently false to those dealing with those particular cctlds. randy -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: Blocking International DNS
Can you cite specific examples of USG interfering with ccTLDs? For several decades the USG has made it crystal clear that they do not mess with ccTLDs, not even ones for countries they don't like such as .CU and .IR. possibly clear to you. the factual experience is that this statement is patently false to those dealing with those particular cctlds. i am not at liberty to do so. but, for a clue % dig +short cu. ns ns.ceniai.net.cu. ns-cu.ripe.net. ns.dns.br. rip.psg.com. -- ns2.gip.net. ns1.gip.net. ns2.ceniai.net.cu. randy --- Q: Because it reverses the logical flow of conversation. A: Why is top posting frowned upon?
Re: Blocking International DNS
as for the alt root servers idea, in case you didnt see this: http://twitter.com/brokep/status/8779363872935936 (Nods to Richard Sexton :) /kc -- Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
Re: Blocking International DNS
Super unnecessary. If you want to be outside the grasp of U.S. law find yourself a ccTLD. Jeff On Mon, Nov 29, 2010 at 11:56 PM, Ken Chase k...@sizone.org wrote: as for the alt root servers idea, in case you didnt see this: http://twitter.com/brokep/status/8779363872935936 (Nods to Richard Sexton :) /kc -- Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: Blocking International DNS
On Tue, Nov 30, 2010 at 12:52:50AM -0500, Jeffrey Lyon said: Super unnecessary. If you want to be outside the grasp of U.S. law find yourself a ccTLD. Perhaps for his reasons at the time yes, but I'm applying it to the topic of the suspended-for-now-bill that allows blocking of any domain in the US. Alt root servers, as mentioned, would solve this. (And an encrypted p2p alt root system perhaps running on dynamic ports would be harder to block.) /kc -- Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
Re: Blocking International DNS
On Tue, Nov 30, 2010 at 12:52:50AM -0500, Jeffrey Lyon said: Super unnecessary. If you want to be outside the grasp of U.S. law find yourself a ccTLD. Perhaps for his reasons at the time yes, but I'm applying it to the topic of the suspended-for-now-bill that allows blocking of any domain in the US. Alt root servers, as mentioned, would solve this. (And an encrypted p2p alt root system perhaps running on dynamic ports would be harder to block.) /kc -- Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
Re: Blocking International DNS
* Suresh Ramasubramanian (ops.li...@gmail.com) wrote: This isnt new - there have been proposals elsewhere for a resolver based blacklist of child porn sites. Swedish ISPs are required to enforce a DNS blacklist for childporn, perhaps also other European countries. The list is maintained by the police (rikskriminalen), they have also published statistics on how many evil access attempts to child porn that they have blocked, i.e. legitimating their existence. They do however fail to mention that browsers usually resolve all links on the webpage it loads so it only takes a look at a page that links to an illegal site for the filter to score a hit... and pr0n pages tend to have a lot of links.. And once you get these things in place you never know where it will end... Cheers, /jkm
Re: Blocking International DNS
Joakim Aronius joa...@aronius.com writes: * Suresh Ramasubramanian (ops.li...@gmail.com) wrote: This isnt new - there have been proposals elsewhere for a resolver based blacklist of child porn sites. Swedish ISPs are required to enforce a DNS blacklist for childporn, perhaps also other European countries. Yes, this has alrady spread to a number of European countries: http://circamp.eu/ And once you get these things in place you never know where it will end... Unfortunately, yes. We already have a pretty ugly example of that: Telenor (Norwegian ISP) was sued by the music and film industry with a demand that Telenor should block all access to The Pirate Bay. The suggested method was abusing this DNS filter to block access to a number of Pirate Bay domains. Luckily the Norwegian court system do sometimes work: http://www.reuters.com/article/idUS401576177920091106 But history usually repeats itself, so I assume this idea will come up again. And again. And again. Bjørn
Re: Blocking International DNS
On Thu, 25 Nov 2010, Bjørn Mork wrote: Joakim Aronius joa...@aronius.com writes: * Suresh Ramasubramanian (ops.li...@gmail.com) wrote: This isnt new - there have been proposals elsewhere for a resolver based blacklist of child porn sites. Swedish ISPs are required to enforce a DNS blacklist for childporn, perhaps also other European countries. Yes, this has alrady spread to a number of European countries: http://circamp.eu/ And once you get these things in place you never know where it will end... Now i know NANOG should not carry political discussion, but really, we should not even -need- to lobby. Unlike the self-proclaimed entertainment industry we, the isps, OWN AND OPERATE a critical infrastructure, of which the governments in the past have proven incapable of running something like that themselves (you end up with a 1970s style telephone network every time they try ;) They simply need to be explained that the internet is a take it or leave it deal. Countries that work against us, should simply be LEFT. close your offices, fire everyone, pay your taxes somewhere else, fuck them. option B is a hostile takeover on the entire entertainment industry, in order to get rid of them, by using the massive amounts of cashflow available in our industry, all of those companies, disney, vivendi (universal) viacom, etc are on the stock exchange, and therefore vulnerable to hostile takeovers and fucking around with their listing by means of options. They have started a war with the wrong motherfuckers... just that the wrong motherfuckers need to figure out that not all connected parties are working in the interest of the internet, several (disney, time warner) are trying to take control over the internet and make it a one way broadcast system that only carries THEIR content to THEIR viewers. We still are in a position to stop them, i say we should. Besides, court orders only hold any value for specific countries, i'm quite sure you're all quite capable of just shifting your activities/billing to another one, as are we (and pretty much in real time as well :P should the situation require that.
Re: Blocking International DNS
On Nov 19, 2010, at 3:45 PM, Marshall Eubanks wrote: It seems that the Combating Online Infringement and Counterfeits Act (COICA) passed through the Senate Judiciary Committee with a unanimous (!) vote : COICA appears to be dead for this year. Ron Wyden (D Oregon) has put a hold on COICA, basically a threat of a Filibuster. This will probably kill it for now, as time is running out in this lame duck session. If this holds, the bill would have to start from scratch next year. http://www.unitethecows.com/content/321-coica-halted-following-controversy.html Regards Marshall http://arstechnica.com/tech-policy/news/2010/11/pirate-slaying-censorship-bill-gets-unanimous-support.ars http://www.govtrack.us/congress/billtext.xpd?bill=s111-3804 I claim operational content for this as, on the basis of court orders, i..e. a temporary restraining order, a preliminary injunction, or an injunction against the domain name used by an Internet site dedicated to infringing activities it requires that, for foreign domain names, (i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address; This expedited DNS cutoff is only available for copyright violations, not for other illegalities. Whether this has any chance of actually passing through this Lame Duck Congress remains to be seen, but my personal reading is that that is not likely. Regards Marshall
Re: Blocking International DNS
On 2010-11-22, at 00:00, Jeffrey Lyon wrote: Indeed, offshore resolvers, offshore DNS infrastructure and the progressive's futile attempts at interference with free markets is once again thwarted. We all know that U.S. law helps keep the internet safe /sarcasm You don't think (i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address; could be taken as a requirement for providers to intercept attempts to use off-network DNS resolvers and manage such requests to meet the end goal above? Given that many providers already do this (for whatever reason), it's not much of a stretch to see someone declaring that such behaviour falls under the umbrella of reasonable steps. I'm not suggesting that I think any of this is reasonable or sensible, but it does seem to imply an operational burden on service providers. Joe
Re: Blocking International DNS
On 11/22/2010 10:25 AM, Joe Abley wrote: You don't think (i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address; could be taken as a requirement for providers to intercept attempts to use off-network DNS resolvers and manage such requests to meet the end goal above? Given that many providers already do this (for whatever reason), it's not much of a stretch to see someone declaring that such behaviour falls under the umbrella of reasonable steps. I'm not suggesting that I think any of this is reasonable or sensible, but it does seem to imply an operational burden on service providers. And where would the list that we need to block be gotten from? --Curtis
Re: Blocking International DNS
You don't think (i) a service provider, as that term is defined in section 512(k)(1) of = title 17, United States Code, or other operator of a domain name system = server shall take reasonable steps that will prevent a domain name from = resolving to that domain name=92s Internet protocol address; could be taken as a requirement for providers to intercept attempts to = use off-network DNS resolvers and manage such requests to meet the end = goal above? Given that many providers already do this (for whatever reason), it's = not much of a stretch to see someone declaring that such behaviour falls = under the umbrella of reasonable steps. I'm not suggesting that I think any of this is reasonable or sensible, = but it does seem to imply an operational burden on service providers. It's funny, isn't it, didn't we just finish convincing the government of the need for DNSSEC, making the DNS system more resistant to some forms of tampering? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Blocking International DNS
On 2010-11-22, at 10:43, Joe Greco wrote: It's funny, isn't it, didn't we just finish convincing the government of the need for DNSSEC, making the DNS system more resistant to some forms of tampering? I guess if the manner of the interception was to send back SERVFAIL to DNS clients whose queries were (in some sense) objectionable, the result would be that the clients were not able to resolve the (in some sense) bad names. This would in effect be a selective denial of service attack to DNS clients. DNSSEC provides no integrity protection over that type of interference -- you need to get an answer for the answer to have a signature, and without a signature there's nothing to check. Joe
Re: Blocking International DNS
On Nov 22, 2010, at 7:25 AM, Joe Abley wrote: On 2010-11-22, at 00:00, Jeffrey Lyon wrote: Indeed, offshore resolvers, offshore DNS infrastructure and the progressive's futile attempts at interference with free markets is once again thwarted. We all know that U.S. law helps keep the internet safe /sarcasm You don't think (i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address; could be taken as a requirement for providers to intercept attempts to use off-network DNS resolvers and manage such requests to meet the end goal above? Given that many providers already do this (for whatever reason), it's not much of a stretch to see someone declaring that such behaviour falls under the umbrella of reasonable steps. I'm not suggesting that I think any of this is reasonable or sensible, but it does seem to imply an operational burden on service providers. If it does, then, you'll find open tunnel servers providing tunnels to off-shore DNS services. Sigh. I really wish congress had better things to do than getting into a technology arms race with the people of the united states. Oh, wait, they do have better things to do, they just aren't doing them. Owen
Re: Blocking International DNS
On 2010-11-22, at 10:35, Curtis Maurand wrote: And where would the list that we need to block be gotten from? bittorrent? :-)
Re: Blocking International DNS
On Nov 22, 2010, at 10:48 PM, Joe Abley wrote: I guess if the manner of the interception was to send back SERVFAIL to DNS clients whose queries were (in some sense) objectionable, the result would be that the clients were not able to resolve the (in some sense) bad names. Quantifying the negative performance impact of SERVFAIL on various stub resolvers might provide some useful data points in any 'official' discussions which arise on this topic. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar.
Re: Blocking International DNS
The more I think about this COICA deal the more I can't even fathom how it could be implemented. If an upstream server won't resolve, what's to stop a network admin from using an offshored DNS server, or even the root servers? Unless we're talking about keeping DNS traffic confined to the ISP's network. Then what's to stop a global HOSTS.TXT from circulating via torrent? It's shortsighted and problematic, which is usually what happens when technical discussions are dictated by politics. -wil On Nov 22, 2010, at 4:21 PM, Dobbins, Roland wrote: On Nov 22, 2010, at 10:48 PM, Joe Abley wrote: I guess if the manner of the interception was to send back SERVFAIL to DNS clients whose queries were (in some sense) objectionable, the result would be that the clients were not able to resolve the (in some sense) bad names. Quantifying the negative performance impact of SERVFAIL on various stub resolvers might provide some useful data points in any 'official' discussions which arise on this topic. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar.
Re: Blocking International DNS
On 11/22/2010 07:47 PM, Wil Schultz wrote: The more I think about this COICA deal the more I can't even fathom how it could be implemented. If an upstream server won't resolve, what's to stop a network admin from using an offshored DNS server, or even the root servers? The way I read it its specifically aimed at whoever is running the resolver, ISP or otherwise. Querying recursively starting at the root would be a violation then. (hence my comment earlier about taking my recursor from my cold dead hands.) So, short of actually searching out and confiscating or destroying uncensored resolvers (like the ones, 5th amendment notwithstanding, that will continue to run each of my notebooks, even if just for spite if the law passes.), or raiding ICANN guns drawn and ordering removal of non compliant ccTLDs from the root, IMHO enforcement would be pretty much impossible. Unless we're talking about keeping DNS traffic confined to the ISP's network. tunneled connections. unless all IP traffic is kept to a specific ISP, in which case the I would become a misnomer, and would be easier said done. Then what's to stop a global HOSTS.TXT from circulating via torrent? Hey as long is its not a DNS server. :P It's shortsighted and problematic, which is usually what happens when technical discussions are dictated by politics. Yup. -- Joe Sniderman joseph.snider...@thoroquel.org
Re: Blocking International DNS
On 11/19/2010 03:45 PM, Marshall Eubanks wrote: It seems that the Combating Online Infringement and Counterfeits Act (COICA) passed through the Senate Judiciary Committee with a unanimous (!) vote : http://arstechnica.com/tech-policy/news/2010/11/pirate-slaying-censorship-bill-gets-unanimous-support.ars http://www.govtrack.us/congress/billtext.xpd?bill=s111-3804 I claim operational content for this as, on the basis of court orders, i..e. a temporary restraining order, a preliminary injunction, or an injunction against the domain name used by an Internet site dedicated to infringing activities it requires that, for foreign domain names, (i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address; So I suppose operation of a recursor requires one to check with the government to see what names its okay to resolve.. They can have my dns recursor when they pry it from my cold dead hands. Otherwise no. /me waits for the knock at the door and the yell of Search warrant, we hear you're running an uncensored BIND -- Joe Sniderman joseph.snider...@thoroquel.org
Re: Blocking International DNS
This isnt new - there have been proposals elsewhere for a resolver based blacklist of child porn sites. There are also of course the various great firewalls of various countries. In case you'd prefer that to having to blacklist them at your end .. Doing this for trademark infringement is going to be a bit thick though. On Mon, Nov 22, 2010 at 2:02 AM, Joe Sniderman joseph.snider...@thoroquel.org wrote: So I suppose operation of a recursor requires one to check with the government to see what names its okay to resolve.. They can have my dns recursor when they pry it from my cold dead hands. Otherwise no. /me waits for the knock at the door and the yell of Search warrant, we hear you're running an uncensored BIND -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Blocking International DNS
Indeed, offshore resolvers, offshore DNS infrastructure and the progressive's futile attempts at interference with free markets is once again thwarted. We all know that U.S. law helps keep the internet safe /sarcasm Jeff On Sun, Nov 21, 2010 at 11:54 PM, Jeffrey S. Young yo...@jsyoung.net wrote: On 22/11/2010, at 3:37 PM, ML m...@kenweb.org wrote: On 11/19/2010 3:45 PM, Marshall Eubanks wrote: It seems that the Combating Online Infringement and Counterfeits Act (COICA) passed through the Senate Judiciary Committee with a unanimous (!) vote : http://arstechnica.com/tech-policy/news/2010/11/pirate-slaying-censorship-bill-gets-unanimous-support.ars http://www.govtrack.us/congress/billtext.xpd?bill=s111-3804 I claim operational content for this as, on the basis of court orders, i..e. a temporary restraining order, a preliminary injunction, or an injunction against the domain name used by an Internet site dedicated to infringing activities it requires that, for foreign domain names, (i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address; This expedited DNS cutoff is only available for copyright violations, not for other illegalities. Whether this has any chance of actually passing through this Lame Duck Congress remains to be seen, but my personal reading is that that is not likely. Regards Marshall I wonder what would happen if the Comcasts and Verizons of the world threatened a $10 rate hike to cover the added administration and headaches of this silliness? Would joe six pack care? I wonder if simply adding a second, off-shore resolver to Joe six pack's DHCP settings wouldn't circumvent this silliness anyway. It would be Joe's son or daughter who wants to resolve limewire.com (et. al.), but wouldn't be that hard. jy -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: Blocking International DNS
On Mon, Nov 22, 2010 at 12:00:43AM -0500, Jeffrey Lyon said: Indeed, offshore resolvers, offshore DNS infrastructure and the progressive's futile attempts at interference with free markets is once again thwarted. We all know that U.S. law helps keep the internet safe /sarcasm When I ran a bunch of quake servers last century, I was endlessly frustrated by everyone using the IP addresses and never DNS. I have no idea why. Obviously it wasnt too much of a pain to do that, cuz eveyrone did it for a long time. So people will just use other resolvers, or direct IP addresses. (but then so much for http/1.0 virtual hosting, I suppose... not a big deal.) Dont know what the next law will be - mandatory blackholing of IPs? So then the sites move randomly around /24s or /22s or whole /16s at ISPs. So then blackhole the whole /16 by law? That'll be an interesting internet. /kc -- Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W.
Re: Blocking International DNS
My two cents is that something like this won't pass until at least 2016 if not 2020. Jeff On Mon, Nov 22, 2010 at 12:11 AM, Ken Chase k...@sizone.org wrote: On Mon, Nov 22, 2010 at 12:00:43AM -0500, Jeffrey Lyon said: Indeed, offshore resolvers, offshore DNS infrastructure and the progressive's futile attempts at interference with free markets is once again thwarted. We all know that U.S. law helps keep the internet safe /sarcasm When I ran a bunch of quake servers last century, I was endlessly frustrated by everyone using the IP addresses and never DNS. I have no idea why. Obviously it wasnt too much of a pain to do that, cuz eveyrone did it for a long time. So people will just use other resolvers, or direct IP addresses. (but then so much for http/1.0 virtual hosting, I suppose... not a big deal.) Dont know what the next law will be - mandatory blackholing of IPs? So then the sites move randomly around /24s or /22s or whole /16s at ISPs. So then blackhole the whole /16 by law? That'll be an interesting internet. /kc -- Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 Front St. W. -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Blocking International DNS
It seems that the Combating Online Infringement and Counterfeits Act (COICA) passed through the Senate Judiciary Committee with a unanimous (!) vote : http://arstechnica.com/tech-policy/news/2010/11/pirate-slaying-censorship-bill-gets-unanimous-support.ars http://www.govtrack.us/congress/billtext.xpd?bill=s111-3804 I claim operational content for this as, on the basis of court orders, i..e. a temporary restraining order, a preliminary injunction, or an injunction against the domain name used by an Internet site dedicated to infringing activities it requires that, for foreign domain names, (i) a service provider, as that term is defined in section 512(k)(1) of title 17, United States Code, or other operator of a domain name system server shall take reasonable steps that will prevent a domain name from resolving to that domain name’s Internet protocol address; This expedited DNS cutoff is only available for copyright violations, not for other illegalities. Whether this has any chance of actually passing through this Lame Duck Congress remains to be seen, but my personal reading is that that is not likely. Regards Marshall