Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] letit2 [.] bit blacklist

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] letit2 [.] bit blacklist


Chronological Thread 
  • From: Jeff Taylor <shdwdrgn AT sourpuss.net>
  • To: discuss AT lists.opennicproject.org
  • Subject: Re: [opennic-discuss] letit2 [.] bit blacklist
  • Date: Thu, 03 Aug 2017 09:06:37 -0600
  • Authentication-results: mx1.computerrehab.us; dmarc=none header.from=sourpuss.net
  • Dmarc-filter: OpenDMARC Filter v1.3.0 mx1.computerrehab.us B25EB2D522

That's not quite true, providing tools to shut down malicious site lookups would have some effect on the problem, even if short-term. Compare it to the spam problem -- would you rather have your email censored by blacklists that are trying to provide reliable data, or would you to prefer that your mailbox was completely uncensored and all spam could freely come in? The point is, you make a tool to block a problem area, and yes it only slows them down for a little while, but it also shuts the door on the simplest methods of propagating malware.

I see a lot of complaints here about censorship, but remember that all other domains have an avenue to shut down malware sites. Even most of the opennic TLD charters have a clause regarding abuse, but we don't have that option with .bit. We are still the gatekeepers though. Is it really censorship if you are only blocking domains with the specific intent of hurting others? Are you worried about suppressing a murderer's right to free speech by taking away their gun? Slippery slope be damned, I personally don't feel any need to protect the rights of any domain owner whose sole purpose is to cause harm to other people for the owner's own financial benefit. Keep in mind this is coming from the person who manages .parody sites -- domains whose only purpose is to mock others. There is a big difference between hurting someone's feelings and causing them financial hardship, and this is exactly what malware does.

Regarding blacklists and such... let me start a separate email for that topic..


On 08/02/2017 11:33 PM, Verax wrote:
Filtering .bit domains is going to do precisely nothing to combat
malware. Malware authors are using it because it's simple. If we block
them, they'll just go on to using a different method.

I'm not saying we should just ignore it, but it's a false measure, and
has some rather nasty implications. If you ask me, it's really not our
problem to fix. Censorship is.

Protecting our operators from shamhouse and the like is important, so if
we need to have blacklists on some servers, that's fine. It just needs
to be documented on the servers page.

Love,
Verax

On 08/02/2017 06:08 PM, Calum McAlinden wrote:
While using whitelisting on port 53 and not on other ports would likely
remove the Spamhaus issue for the time being, it doesn't address the
root cause of IPs OpenNIC's servers being embedded in malware for DNS
lookups of command and control servers via .bit, as the malware could
also do the lookups on the alternative port.

As I mentioned, the issue for me personally is nothing to do with
Spamhaus; I intended to write to the mailing list regarding the issue
when I became aware of this malicious use-case of OpenNIC before the
Spamhaus issue came about.

On 02/08/17 22:03, Jeff Taylor wrote:
Well I got my whitelist access issue sorted out. Funny thing is I
think I had an open resolver running on the old ISP as well. Now it's
working properly so it will resolve any of my local domains for
everyone, but only resolve recursively to those who are whitelisted.
That should also resolve my issues with spamhaus and anyone else who
wants to pretend like they are the guardians of the internet.

The filter has been pulled from ns1.co.us.dns.opennic.glue, it is once
again fully resolving the internet.

I agree that we should not be bullied by entities such as spamhaus. I
mean, they're a great filter, I use the myself on my mail servers, but
they are certainly NOT going to stop the spam problem by blacklisting
all opennic servers. However you have to keep in mind that opennic is
run by *volunteers*. We don't all have money to pay for both our
private connections AND a hosted server, and some concessions should
be made since this whole project started out on people's home servers
and many of us still run services from there.

Whitelisting is certainly an option though. That's what I do (or
*thought* I was doing) and when it's working properly it should
prevent any such issues from outside entities blocking us. However
perhaps it is time to reconsider a 'filtered' option? A number of
servers run on multiple ports... what if we had a domain blacklist
distributed through the API that would allow people to run filtered
DNS queries on port 53, but allow unrestricted queries through an
alternate port? For that matter, I could even see running
whitelisting on port 53 and unrestricted access on an alternate port.
There are any number of possibilities available here, so I don't think
we should discount any options that allow our members to continue
running their public servers without harassment.


On 08/02/2017 02:16 PM, Al Beano wrote:
Why does it matter? Spamhaus can make as many lists as they want,
OpenNIC doesn't answer to them.

If they're going to do this, I think it's best to concede that you
can't run DNS and mail on a single server — I'd rather that than be
bullied by Spamhaus.





--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing
discuss-unsubscribe AT lists.opennicproject.org




--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org





Archive powered by MHonArc 2.6.19.

Top of Page