Skip to Content.
Sympa Menu

discuss - Re: [opennic-discuss] letit2 [.] bit blacklist

discuss AT

Subject: Discuss mailing list

List archive

Re: [opennic-discuss] letit2 [.] bit blacklist

Chronological Thread 
  • From: Jeff Taylor <shdwdrgn AT>
  • To: discuss AT
  • Subject: Re: [opennic-discuss] letit2 [.] bit blacklist
  • Date: Fri, 04 Aug 2017 13:26:21 -0600
  • Authentication-results:; dmarc=none
  • Dmarc-filter: OpenDMARC Filter v1.3.0 0A4B72D4CF

I've made some changes to the code and have the blacklist submission portion working with both IPs and domain names now. The IPs would go into a simple BIND9 filter to prevent your server from answering queries from that IP. This could be useful if anyone detects an attack from an IP that is not spoofed (although that rarely happens). The domain names would go into a separate file and reply with for anyone who queried that domain name -- I still have to write the API code to obtain these entries.

Something else that occurred to me while writing this is we could use this same setup for creating custom filters. There have been times when someone asked if opennic supported adult-content filters and such. Since each entry in the blacklist will be tagged with a category, someone could set up a public dns server that sends all queries of adult sites to a custom web page. I know opennic has always been billed as uncensored, but that doesn't prevent us from allowing public servers that are properly marked as having filtered query results.

I had some discussion with someone from spamhaus yesterday regarding this problem with the .bit domains and there is a possibility that they may share their data with us for setting up blacklist entries. Again, use of such data is completely up to the server operator and we would want to properly identify any servers that are giving filtered query results. There was some discussion on IRC about the reliability of the data that spamhaus provides. I asked for more information on how they confirm their entries but haven't heard back yet. It would probably be best if we could also find an alternate source of data for malware hosts, then there would be the possibility of creating filters for websites that only appear in multiple lists (thus helping insure the integrity).

And then there's the whole slippery-slope argument. Of course this is a concern -- if we start filtering anything, what's to stop us from filtering everything? However I think we, as a multinational community, could agree on many things that universally fall under the 'harmful' category. For example, we have already been doing a lot of query filtering over the last few years. Remember the DNS reflection attacks? And the rules on the wiki to limit query speeds or outright block queries matching certain patterns? We are filtering content here but nobody had any objections or claimed we were censoring the internet. Nobody has even questioned the fact that there is no information about rate-limiting on the servers page, despite the fact that many servers use it.

We can argue all day about whether opennic *should* filter content, but in the end there are numerous reasons why individual admins may need to apply filtering and unfortunately some may not have a choice -- either apply filtering or be shut down. We need to accept that some forms of filtering are already in affect and move on. I believe the discussion should start focusing on what filtering we as a group would find acceptable. Do we only care about sites that distribute malware when you visit their page? Do we look at the sites that are hosting malware for download by viruses (I believe this is what spamhaus is targeting)? Would we include home sites for malicious botnets? There's plenty of discussion to be had regarding the categorys.

I'll wrap up with my own viewpoint on the matter... I've heard from many opposed to filtering that it's not our job to police the internet. That's all well and good, but then why bother taking measures to prevent reflection attacks that use your dns server? The attack isn't hurting YOUR computer, other than saturating your internet connection. However some people have to pay for the amount of data transferred, so that attack could cause a real monetary impact. Therefore we protect our own machines and our pocketbook. Now consider the effect that malware has on the desktop of a computer-illiterate's machine. It prevents or greatly slows down their internet access. It uses their connection to send out millions of spams. It may even store illegal content on their machine. When I checked for the latest malware .bit queries on my own machines, I saw around 150,000 queries in a 12-hour period! That probably translates to thousands of real desktops that someone is attempting to infect. To me, the question isn't a matter of should we police the internet, but rather why wouldn't we? OpenNic is a powerful tool being hijacked for malicious purposes, but we have the power to stop the threat. Not to mention that it would be detrimental to opennic as a whole if we got a reputation as a source for malware (it only takes one online article to make rumors spread). If you're looking for a reason why any of this matter to *you*, ask yourself how many viruses are out there sending spam to your inbox every day. And how many times have you wondered why doesn't anyone do something about it?

(Yes, I tend to ramble on, but there's a lot going on with this issue and it's difficult to summarize much of it.)

On 08/03/2017 09:19 AM, Jeff Taylor wrote:
Regarding blacklists... First off, yes I would definitely be in favor of such a system, and in fact we already have the initial framework in place. Remember the whitelist API? I also set up a blacklist API with the same code. The data resides in LDAP and is part of the ACL list generated by another API.

After my experiments with blocking an individual domain in BIND yesterday, I believe I could modify the blacklist API to also accept domain names. The ACL file would then create separate entries for the domain names that would feed into a localhost hole. Anyone can pick up these files and use them however they want, and I could even add categories to the entries so that members have even finer control of what they block. As always opennic server operators will be free to operate their servers according to their own rules, however I think it that considering the problems we've seen it would be useful to at least provide the tools to handle the issue for those that want it.

Archive powered by MHonArc 2.6.19.

Top of Page