Discuss mailing list

[Verax <verax AT 8chan.co>]

Filtering .bit domains is going to do precisely nothing to combat
malware.  Malware authors are using it because it's simple.  If we block
them, they'll just go on to using a different method.

I'm not saying we should just ignore it, but it's a false measure, and
has some rather nasty implications.  If you ask me, it's really not our
problem to fix.  Censorship is.

Protecting our operators from shamhouse and the like is important, so if
we need to have blacklists on some servers, that's fine.  It just needs
to be documented on the servers page.

Love,
Verax

On 08/02/2017 06:08 PM, Calum McAlinden wrote:
> While using whitelisting on port 53 and not on other ports would likely
> remove the Spamhaus issue for the time being, it doesn't address the
> root cause of IPs OpenNIC's servers being embedded in malware for DNS
> lookups of command and control servers via .bit, as the malware could
> also do the lookups on the alternative port.
> 
> As I mentioned, the issue for me personally is nothing to do with
> Spamhaus; I intended to write to the mailing list regarding the issue
> when I became aware of this malicious use-case of OpenNIC before the
> Spamhaus issue came about.
> 
> On 02/08/17 22:03, Jeff Taylor wrote:
>> Well I got my whitelist access issue sorted out.  Funny thing is I
>> think I had an open resolver running on the old ISP as well.  Now it's
>> working properly so it will resolve any of my local domains for
>> everyone, but only resolve recursively to those who are whitelisted. 
>> That should also resolve my issues with spamhaus and anyone else who
>> wants to pretend like they are the guardians of the internet.
>>
>> The filter has been pulled from ns1.co.us.dns.opennic.glue, it is once
>> again fully resolving the internet.
>>
>> I agree that we should not be bullied by entities such as spamhaus. I
>> mean, they're a great filter, I use the myself on my mail servers, but
>> they are certainly NOT going to stop the spam problem by blacklisting
>> all opennic servers.  However you have to keep in mind that opennic is
>> run by *volunteers*.  We don't all have money to pay for both our
>> private connections AND a hosted server, and some concessions should
>> be made since this whole project started out on people's home servers
>> and many of us still run services from there.
>>
>> Whitelisting is certainly an option though.  That's what I do (or
>> *thought* I was doing) and when it's working properly it should
>> prevent any such issues from outside entities blocking us.  However
>> perhaps it is time to reconsider a 'filtered' option?  A number of
>> servers run on multiple ports... what if we had a domain blacklist
>> distributed through the API that would allow people to run filtered
>> DNS queries on port 53, but allow unrestricted queries through an
>> alternate port?  For that matter, I could even see running
>> whitelisting on port 53 and unrestricted access on an alternate port. 
>> There are any number of possibilities available here, so I don't think
>> we should discount any options that allow our members to continue
>> running their public servers without harassment.
>>
>>
>> On 08/02/2017 02:16 PM, Al Beano wrote:
>>> Why does it matter? Spamhaus can make as many lists as they want,
>>> OpenNIC doesn't answer to them.
>>>
>>> If they're going to do this, I think it's best to concede that you
>>> can't run DNS and mail on a single server — I'd rather that than be
>>> bullied by Spamhaus.
>>>
>>
>>
>>
>>
>>
>> --------
>> You are a member of the OpenNIC Discuss list.
>> You may unsubscribe by emailing
>> discuss-unsubscribe AT lists.opennicproject.org
>>
> 
> 
> 
> 
> --------
> You are a member of the OpenNIC Discuss list. 
> You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
>

Attachment: signature.asc
Description: OpenPGP digital signature