Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

I've made some changes to the code and have the blacklist submission 
portion working with both IPs and domain names now.  The IPs would go 
into a simple BIND9 filter to prevent your server from answering queries 
from that IP.  This could be useful if anyone detects an attack from an 
IP that is not spoofed (although that rarely happens).  The domain names 
would go into a separate file and reply with 127.0.0.1 for anyone who 
queried that domain name -- I still have to write the API code to obtain 
these entries.

Something else that occurred to me while writing this is we could use 
this same setup for creating custom filters.  There have been times when 
someone asked if opennic supported adult-content filters and such.  
Since each entry in the blacklist will be tagged with a category, 
someone could set up a public dns server that sends all queries of adult 
sites to a custom web page.  I know opennic has always been billed as 
uncensored, but that doesn't prevent us from allowing public servers 
that are properly marked as having filtered query results.

I had some discussion with someone from spamhaus yesterday regarding 
this problem with the .bit domains and there is a possibility that they 
may share their data with us for setting up blacklist entries. Again, 
use of such data is completely up to the server operator and we would 
want to properly identify any servers that are giving filtered query 
results.  There was some discussion on IRC about the reliability of the 
data that spamhaus provides.  I asked for more information on how they 
confirm their entries but haven't heard back yet.  It would probably be 
best if we could also find an alternate source of data for malware 
hosts, then there would be the possibility of creating filters for 
websites that only appear in multiple lists (thus helping insure the 
integrity).

And then there's the whole slippery-slope argument.  Of course this is a 
concern -- if we start filtering anything, what's to stop us from 
filtering everything?  However I think we, as a multinational community, 
could agree on many things that universally fall under the 'harmful' 
category.  For example, we have already been doing a lot of query 
filtering over the last few years.  Remember the DNS reflection 
attacks?  And the rules on the wiki to limit query speeds or outright 
block queries matching certain patterns?  We are filtering content here 
but nobody had any objections or claimed we were censoring the 
internet.  Nobody has even questioned the fact that there is no 
information about rate-limiting on the servers page, despite the fact 
that many servers use it.

We can argue all day about whether opennic *should* filter content, but 
in the end there are numerous reasons why individual admins may need to 
apply filtering and unfortunately some may not have a choice -- either 
apply filtering or be shut down.  We need to accept that some forms of 
filtering are already in affect and move on. I believe the discussion 
should start focusing on what filtering we as a group would find 
acceptable.  Do we only care about sites that distribute malware when 
you visit their page?  Do we look at the sites that are hosting malware 
for download by viruses (I believe this is what spamhaus is targeting)?  
Would we include home sites for malicious botnets?  There's plenty of 
discussion to be had regarding the categorys.

I'll wrap up with my own viewpoint on the matter...  I've heard from 
many opposed to filtering that it's not our job to police the internet.  
That's all well and good, but then why bother taking measures to prevent 
reflection attacks that use your dns server? The attack isn't hurting 
YOUR computer, other than saturating your internet connection.  However 
some people have to pay for the amount of data transferred, so that 
attack could cause a real monetary impact.  Therefore we protect our own 
machines and our pocketbook. Now consider the effect that malware has on 
the desktop of a computer-illiterate's machine.  It prevents or greatly 
slows down their internet access.  It uses their connection to send out 
millions of spams.  It may even store illegal content on their machine.  
When I checked for the latest malware .bit queries on my own machines, I 
saw around 150,000 queries in a 12-hour period! That probably translates 
to thousands of real desktops that someone is attempting to infect.  To 
me, the question isn't a matter of should we police the internet, but 
rather why wouldn't we?  OpenNic is a powerful tool being hijacked for 
malicious purposes, but we have the power to stop the threat.  Not to 
mention that it would be detrimental to opennic as a whole if we got a 
reputation as a source for malware (it only takes one online article to 
make rumors spread).  If you're looking for a reason why any of this 
matter to *you*, ask yourself how many viruses are out there sending 
spam to your inbox every day.  And how many times have you wondered why 
doesn't anyone do something about it?

(Yes, I tend to ramble on, but there's a lot going on with this issue 
and it's difficult to summarize much of it.)


On 08/03/2017 09:19 AM, Jeff Taylor wrote:
> Regarding blacklists... First off, yes I would definitely be in favor 
> of such a system, and in fact we already have the initial framework in 
> place.  Remember the whitelist API?  I also set up a blacklist API 
> with the same code.  The data resides in LDAP and is part of the ACL 
> list generated by another API.
>
> After my experiments with blocking an individual domain in BIND 
> yesterday, I believe I could modify the blacklist API to also accept 
> domain names. The ACL file would then create separate entries for the 
> domain names that would feed into a localhost hole.  Anyone can pick 
> up these files and use them however they want, and I could even add 
> categories to the entries so that members have even finer control of 
> what they block.  As always opennic server operators will be free to 
> operate their servers according to their own rules, however I think it 
> that considering the problems we've seen it would be useful to at 
> least provide the tools to handle the issue for those that want it.