Discuss mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

A user came in asking about a .lib domain today, it seems he was unable to reach this domain using opennic as the resolver.  After some testing we are finding that since a user's IP address is passed as part of the DNS query, they are blocked by your whitelisting.  If someone tries to make a query directly on one of the whitelisted T1 servers then they are able to resolve the emercoin domains.

When we peered with NewNations, I set up a slave on NS2.opennic.glue to keep a copy of their zones to share with opennic.  I attempted to do this with the EmerCoin TLDs (bazar, coin, emc, lib) but found that your seed1 and seed2 servers return NXDOMAIN when I try to download the zone files, and as such I am unable to pull a copy to share with opennic users.

Do you have a server available where I can obtain the TLD zone files?  If this can be set up, then I can share the zones with other T1 servers, however it would be better if all of the T1 operators had the ability to do this.

On 06/10/2018 09:17 PM, Oleg Khovayko wrote:

5B1DE9DF.90209 AT gmail.com">

Let I clarify.

1. Since you already have such filters, and cooperation with Spamhaus, then botnet owners do not connect to your servers.
2. Instead, botnets connects directly to our servers seed1/seed2, whose using to provide to you data from our blockchain zones.
3. As result, I see many requests to our servers directly from botnets, not from you.
4. I would like block botnets. And proposed two possible solutions in the initial e-mail.
5. I see, most simple solution on my side - just create whitelist in our firewall for allow your Tier1 servers only.
6. As result, fair users will use emerDNS through OpenNIC, and botnet will not be served.

OK, we'll add tomorrow such rules to our seed1/seed2 servers. There is not needed any actions from your side.

Thank you for help,
Oleg


Jonah Aragon wrote:

That isn’t what we’re discussing though. As far as I can tell, this thread is only regarding Emercoin shifting responsibility to us. If any of these proposals go through then we’ll need further discussion regarding regulation. 

Jonah

On Sun, Jun 10, 2018 at 7:31 PM Jacob Bachmeyer <jcb62281 AT gmail.com> wrote:

This will not solve the problem of criminal botnets using the system. 
At best, this will force the crooks to start using the OpenNIC DNS
resolvers to control their botnets, which is only a small step up from
directly abusing the Emercoin DNS servers.

If OpenNIC already has an agreement with Spamhaus for blocking botnet
domains, could the Emercoin DNS "window" servers adopt a similar
filter?  Anyone wanting an absolutely uncensored view of Emercoin names
can simply use Emercoin directly, while the public DNS servers would not
resolve domains known to be used for botnet control.

-- Jacob


Jonah Aragon wrote:
> Katie,
>
> I think you misunderstood his second proposal, he wants to only
> whitelist Tier 1 servers, and then the Tier 2 resolvers will slave
> from them (which is current functionality on the srvzone script most
> people use anyways, as far as I know) rather than Emercoin’s own
> servers. That seems like a much more reasonable request, since Tier 1
> servers are generally unchanging, and as such the whitelist would be
> relatively manageable.
>
> Jonah
>
> On Sun, Jun 10, 2018 at 2:43 PM Katie Holly <opennic AT lists.dedilink.eu
> <mailto:opennic AT lists.dedilink.eu>> wrote:
>
>     Hi Oleg,
>
>     OpenNIC has an active agreement with Spamhaus that they are
>     allowed to feed one of our blacklists (see [0] for more
>     information) that Tier 2 operators can use to block domains solely
>     used for botnet control or other bad things. This was done for
>     other .bit domains that were used for controlling botnets (see [1}
>     for example)
>
>     Tier 1 servers are, as far as I know, under no circumstances
>     allowed to block any kind of domain or IP address. Such censorship
>     would immediately cause your Tier 1 server to be removed from the
>     root zone and replaced by another volunteers server.
>
>     If do not want to or, more specifically, can not continue serving
>     an uncensored view of the Emercoin zones, please let us know and
>     we'll find a volunteer to run a Tier 1 server as a replacement to
>     yours. This is, at least from what I can see, the only viable
>     solution.
>
>     1. Wouldn't be a good solution IMHO - Yes, it would decentralize
>     the network a bit but block Tier 2 operators from continuing to
>     run their root-hint-only servers from which there are many.
>     Example for our anycast network: Servers do not store any
>     information on hard disks other than static files pushed into
>     Docker container images on build time and they are not allowed to
>     write to disk and have to use a small (10MB size) tmpfs directory
>     to keep their dynamic data stored.
>
>     2. DNS resolvers do not always use the same IP address for backend
>     queries and frontend service. A DNS server might be reachable at
>     8.8.8.8 or 185.121.177.177 but whenever it needs to query an
>     authoritative DNS server for more information, it used a backend
>     IP address, for 8.8.8.8 that would be a lot of /24 networks [2],
>     for 185.121.177.177 that would be a lot of IP addresses, fast
>     moving IP addresses since we utilize cloud services a lot and you
>     wouldn't be able to keep up with the amount of IP address changes
>     involved in this, this is a problem specific to how anycast works
>     and we have seen a couple users hopping onto that anycast service
>     train recently to host their Tier 2.
>
>     Another "solution" I see, which wouldn't be very viable, is to
>     drop the requirement for Tier 2 servers to resolve any crypto
>     domains and allow them to use your suggested solution in point 1
>     if they want to offer crypto TLDs for their users.
>
>     Best regards
>
>     Katie Holly
>
>     [0] https://wiki.opennic.org/api/blacklist
>     [1] https://www.spamhaus.org/sbl/query/SBL325026
>     [2]
>     https://developers.google.com/speed/public-dns/faq#locations_of_ip_address_ranges_google_public_dns_uses_to_send_queries
>
>     On 06/10/2018 08:21 PM, Oleg Khovayko wrote:
>     > Hi,
>     >
>     > I am representing Emercoin, which has successful peering with
>     OpenNIC for years.
>     >
>     > However, recently I see, our servers seed1 and seed2, where
>     OpenNIC requests info about zones .coin/.emc/.bazar/.lib, started
>     used to control botnets.
>     > There is many requests from different IPs for same domain name,
>     fields A/TXT.
>     > I analyzed field TXT in some EmerDNS recors, for example:
>     dns:refereefitter.lib
>     > And found there - there is some encrypted strings, seems like
>     command to botnet.
>     > This article contains more information:
>     >
>     https://www.fireeye.com/blog/threat-research/2018/04/cryptocurrencies-cyber-crime-blockchain-infrastructure-use.html
>     >
>     > I would like continue peering, but do not want to serve a
>     criminal botnets.
>     >
>     > I see 2 ways, how to mitigate this issue:
>     >
>     > 1. Each Tier1 OpenNIC will setup local Emer node, and perform
>     peering to the localhost. And we will just discontinue our peering
>     services.
>     > Pros: Quick resolving, best security
>     > Cons: Needed ~1G HDD and 300MB RAM to running process.
>     >
>     > 2. We can add IP filters to our seed1/seed2, and ban all IPs,
>     but 10 Tier 1 OpenNIC servers.
>     > Pros: Nothing needed to do on OpenNIC side
>     > Cons: Dependence on network, bigger latencies.
>     >
>     > So, I have questions:
>     > 1. If we will add DNS-filters, which includes Tier1 servers - is
>     this enough to continue peering with option 2?
>     > 2. Is this possible to move to option 1, when OpenNIC keeps
>     local resolver?
>     >
>     > Thanks,
>     > Oleg
>     >
>     >
>     >
>     >
>     >
>     > --------
>     > You are a member of the OpenNIC Discuss list.
>     > You may unsubscribe by emailing
>     discuss-unsubscribe AT lists.opennicproject.org
>     <mailto:discuss-unsubscribe AT lists.opennicproject.org>
>     >
>
>
>     --------
>     You are a member of the OpenNIC Discuss list.
>     You may unsubscribe by emailing
>     discuss-unsubscribe AT lists.opennicproject.org
>     <mailto:discuss-unsubscribe AT lists.opennicproject.org>
>
> ------------------------------------------------------------------------
>
>
>
> --------
> You are a member of the OpenNIC Discuss list.
> You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
>   



--------
You are a member of the OpenNIC Discuss list.
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org

--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org