Slashdot Mirror

← Back to Stories (view on slashdot.org)

ISC Offers Response Policy Zones For DNS

Posted by Soulskill on from the cleaning-up-the-e-streets dept.

penciling_in writes "ISC has made the announcement that they have developed a technology that will allow 'cooperating good guys' to provide and consume reputation information about domain names. The release of the technology, called Response Policy Zones (DNS RPZ), was announced at DEFCON. Paul Vixie explains: 'Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to reserve or create a new name in just seconds, and to create millions of them per day. ... If your recursive DNS server has a policy rule which forbids certain domain names from being resolvable, then they will not resolve. And, it's possible to either create and maintain these rules locally, or, import them from a reputation provider. ISC is not in the business of identifying good domains or bad domains. We will not be publishing any reputation data. But, we do publish technical information about protocols and formats, and we do publish source code. So our role in DNS RPZ will be to define 'the spec' whereby cooperating producers and consumers can exchange reputation data, and to publish a version of BIND that can subscribe to such reputation data feeds. This means we will create a market for DNS reputation but we will not participate directly in that market.'"

39 comments

  1. Could this be used for political purposes? by gameboyhippo · · Score: 2, Insightful

    I'd hate to see what governments do with this technology or rival corporations. Who's to say that Comcast won't make Rural Town's USA's coop appear to be a site with a negative reputation.

    1. Re:Could this be used for political purposes? by Anonymous Coward · · Score: 0

      Fraud and libel laws I would assume.

    2. Re:Could this be used for political purposes? by Tubal-Cain · · Score: 1

      The legality of an action only matters if you get caught.

    3. Re:Could this be used for political purposes? by N0Man74 · · Score: 3, Interesting

      First of all, didn't they say that the reputation would be determined by "cooperating good guys"? Since when has Comcast ever been described as "cooperative", or "good"? ;-)

      But seriously, reputations aren't usually vetoes where one person can blackball a server, are they? I would imagine that they would realize that it would be a waste of time, given that all of the other "good guys" would collectively carry too much weight for one entity to effectively sabotage.

      I also imagine that they'd realize that this would be a good way to lose credibility as a "good guy", and maybe have it revoked.

      Hopefully the same principal would apply on the other end if a "non-good guy" gets in the system in order to push bad sites.

      I seriously doubt it will be a magic bullet, but it might help.

    4. Re:Could this be used for political purposes? by Sean · · Score: 1

      I was just going to ask that question. What will define reputable?

    5. Re:Could this be used for political purposes? by John+Hasler · · Score: 1

      > What will define reputable?

      Concensus.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  2. Mysteriously.... by fuzzyfuzzyfungus · · Score: 1

    It suddenly turned out that wikileaks, the piratebay, and anybody affiliated with Falun Gong or the Dalai Llama were all "spammers, e-criminals, and speculators"...

    Well, at least this is a standards-driven OSS-supported alternative to the existing DNS filtering schemes that definitively have never been used for nefarious purposes so far.

  3. Bad, bad idea by 6031769 · · Score: 4, Insightful

    I have a lot of time for Paul Vixie, but in this particular case he has come up with a bad idea. This should absolutely not be handled in DNS. There are plenty of reputation-based schemes already in operation for per-protocol black or white listing which work as well (and as badly) as any such scheme can do. There is no need to drag it down to the core, polluting DNS with yet more protocol shenanigans as we do so.

    DNS was always a simple protocol which did one job and did it well. Please stop trying to expand it to solve problems which have already been solved (by those who wish to do so) elsewhere.

    --
    Burns: We're building a casino!
    McAllister: Arrr. Give me 5 minutes.
    1. Re:Bad, bad idea by bersl2 · · Score: 2, Insightful

      Well, at least you always have the option of querying the root servers directly. Surely they won't have this enabled.

    2. Re:Bad, bad idea by Shag · · Score: 1

      There are plenty of reputation-based schemes already in operation for per-protocol black or white listing which work as well (and as badly) as any such scheme can do. There is no need to drag it down to the core, polluting DNS with yet more protocol shenanigans as we do so.

      Given that connections via most protocols are preceded by DNS queries (unless you're using hardcoded IP addresses for everything), I think whether this is or isn't a good idea comes down to one question:

      Are there are lot of domains out there that deserve a bad reputation for things they do on certain ports or over certain protocols, but are otherwise fine and upstanding members of society?

      I think there are plenty of companies out there that are respectable outfits but make some poor choices vis-a-vis email marketing; something like this might provide them the encouragement they need to do the right thing. And most other ways a domain can be evil - protocol-specific though they may be - make spamming look like nothing. Malicious sites, malware, spyware, outright fraud, etc.

      Unless there are domains that are only evil on a single protocol and otherwise are angelic, I'd sooner have things vanish at the initial DNS query, and not worry about consulting a bunch of different blacklists, etc. Seems simpler.

      --
      Village idiot in some extremely smart villages.
    3. Re:Bad, bad idea by TheLink · · Score: 1

      I'm sure a combination of google, twitter, facebook, discussion boards etc can help malware avoid the use of blacklisted DNS domains.

      Nobody is going to blacklist those.

      Is Vixie promoting yet another complicated (or even "Rube Goldberg"ish ) solution to problems?

      --
  4. The Path to Hell is Paved with Good Intentions by Global-Lightning · · Score: 1

    I predict it will take about 0.00000023s for anyone with an agenda and means to manipulate this to their will. Corporate America? The Media? Politics of all types? Government?

    Pick your poison and enjoy it before it kills you.

  5. no thanks by Michael+Kristopeit · · Score: 0, Troll

    i'd rather determine for myself who is worthy of a positive reputation.

  6. A question that comes to mind... by Yaa+101 · · Score: 3, Interesting

    Are we satisfied of that other reputation system called SSL certificates?

    1. Re:A question that comes to mind... by Korin43 · · Score: 2, Informative

      No. SSL certificates are useful for providing encryption and a better sense of security, but they're far too corporate. The certificate companies aren't going to spend much time checking people are who they say they are for a cheap certificate because it will cost them money. Not to mention that they aren't used on most of the internet (because they're a waste of money on personal sites). This creates a way to come up with better security information for every site.

    2. Re:A question that comes to mind... by Dr.+Evil · · Score: 2, Interesting

      The main reason I'm not using them and I'm sure most others aren't is because SSL sucks for virtual hosts. Else, I'd have a self-signed or cacert cert on all my domains.

    3. Re:A question that comes to mind... by _Sprocket_ · · Score: 2, Insightful

      Aren't CAs establishing (at best) identity and not reputation?

    4. Re:A question that comes to mind... by Korin43 · · Score: 1

      Self-signed certificates are one of my biggest problems with SSL. It gives you the same general level of security as SSH[1], but browsers are set up to make people trust sites with self-signed certificates less than site with no certificate.

      [1] You can't be sure it's the right computer the first time you connect (unless you already have the certificate), but every time after that you can know it's the same computer and the connection is encrypted.

    5. Re:A question that comes to mind... by amorsen · · Score: 1

      because SSL sucks for virtual hosts

      This has been fixed with TLS. See SSL with Virtual Hosts Using SNI. It doesn't work with IE6, but then, what does?

      --
      Finally! A year of moderation! Ready for 2019?
    6. Re:A question that comes to mind... by alphatel · · Score: 1

      SSL isn't rep, it's security if you can call it that. And it's opt-in, not forced.

      --
      When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
    7. Re:A question that comes to mind... by osgeek · · Score: 1

      According to Wikipedia, it doesn't work on any browser running on Windows XP. Ugh. It'll be 10 years before those things are significantly depleted from the population.

      --
      Why are you letting these clowns ruin our country?
    8. Re:A question that comes to mind... by amorsen · · Score: 1

      Wikipedia is wrong then. Internet Explorer doesn't do SNI on Windows XP, but Firefox is fine. More specifically the library SChannel is broken on XP, and therefore the browsers depending on SChannel have a problem. That includes Internet Explorer and it at least used to include Chrome, although Google has been working on an alternative NSS implementation. It seems that Chrome M6 has the problem fixed.

      --
      Finally! A year of moderation! Ready for 2019?
  7. Is this really a great feature? by drinkypoo · · Score: 1

    Stopping the names from resolving leaves the user wondering whether they're experiencing a network failure. What is needed is a new response, and support for this response, and not simply resolution failure.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:Is this really a great feature? by bsDaemon · · Score: 2, Insightful

      It doesn't just prevent the name from resolving, though. It will also return the fact the query was blocked by RPZ via a STATUS code. At that point, I think it should be up to the application, such as the browser, which is causing the DNS query, to read the STATUS code for the query and provide the appropriate message, such as "server not found" in response to a query with an NXDOMAIN status.

      I actually think this is pretty cool and am excited about it, although I suspect that I'm in the minority on this here. Just pretend I said something scary about evil corporate overlords or fascists or whatever.

    2. Re:Is this really a great feature? by drinkypoo · · Score: 1

      It doesn't just prevent the name from resolving, though. It will also return the fact the query was blocked by RPZ via a STATUS code.

      It sounds like it could be a fantastic thing if my web browser does something intelligent with the response code. You can tell I'm too lazy to RTFA

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  8. Check cal by http · · Score: 1

    Is it April Fool's Day already?
    This strikes me as viscerally wrong on so many levels, but one is immediately articulable: This would be an attempt to solve a social issue via technical means, and such efforts are usually doomed to failure. But not before wasting a lot of money, effort, and billable hours...

    --
    If opportunity came disguised as temptation, one knock would be enough.
    3^2 * 67^1 * 977^1
  9. We are not kicking ass and taking names by RevWaldo · · Score: 1

    But we are creating a framework through which names can be taken and through said metadata asses can be located and kicked.

    .

    --
    Prisencolinensinainciusol. Ol Rait!
  10. Vixie and reputation - that's a winner for sure by Whuffo · · Score: 2

    Paul Vixie already has quite the reputation for high-handed wholesale blocking of sites deemed to be improper. MAPS RBL was his baby and while the political fallout from that misadventure cost him much of his reputation - it looks like he's trying to keep at it but put the blame on someone else this time.

    Regardless of that, this scheme will be afflicted with the same problems that MAPS had. When what the people can see or read depends upon the ratings applied by some special (and probably secret) group then they'll twist this power to serve themselves. Malware or spam? Blocked. Porn? Blocked. Negative opinions about the blocking? Blocked. Wrong political position? Blocked. Didn't pay protection or get approval from the government? Blocked.

    Paul Vixie is undeniably talented and knows a lot about networking. But his knowledge of human nature and how society works is woefully inadequate. Something that is always true: when you attempt to apply technological solutions to societal problems, it doesn't solve the problems and introduces new and usually worse problems. See RIAA / MPAA VS. Everyone for insight as to how blocking creates more problems than it solves.

    1. Re:Vixie and reputation - that's a winner for sure by Anonymous Coward · · Score: 0

      And his co-author's site says he won't accept (or rather will silently roundfile) mail from users of gmail and other free mail providers. That's going a bit far.

  11. In unrelated news by Anonymous Coward · · Score: 0

    China has reported that the operating costs of the great firewall are down by 20% this year and Cisco has missed their Q4 earnings by 5%.

  12. oh, and follow-up by bsDaemon · · Score: 3, Informative

    it looks like you can also define policy in the RPZ zone so that the domain you're trying to block can pointed to a web server were you have a block message up, presumably describing the policy reason that the site is being listed.

    additionally, there is no requirement that says one must subscribed to a Spamhause-style service, that's just a hypothetical option. Besides, if your recursive DNS servers are blocking stuff you want to get to anyway, you can choose different ones, or set up your own. Setting up BIND as a recursive DNS server is ridiculously easy, and you can ignore RPZ zones to your hearts content then.

    1. Re:oh, and follow-up by tepples · · Score: 1

      Besides, if your recursive DNS servers are blocking stuff you want to get to anyway, you can choose different ones, or set up your own.

      Unless, for example, your ISP has a transparent proxy that redirects all outgoing traffic to known public recursive servers (e.g. Google's 8.8.4.4) to your ISP's recursive server instead. Do any ISPs in the developed world do this?

  13. And Then What We Really Need by kindbud · · Score: 1

    And Then What We Really Need is a technology that will allow 'cooperating good guys' to provide and consume reputation information about reputation information providers.

    --
    Edith Keeler Must Die
  14. This could be good, this could be bad... by mrbene · · Score: 2, Informative

    A whole lot depends on implementation. The initial intent seems to be to provide a mechanism of blocking domain names that have just been created and have high probability of being phishing/spamming/whatever nefarious. Theoretically, DNS could be updated to include the age of the record to help clients make up their own minds of whether to connect or not, but then you'd start on a slippery slope of additional information about records.

    By building the protocol around a layer of abstraction, additional information can be considered - the actual IP that it's resolving to, how rapidly that's changing, how many different domain names are being created against the netblock that this one is created against, and so on. Much richer information, and theoretically can provide much more useful results.

    The implementation? It's going to be problematic for some, since the decision is being made by a 3rd party as to what is trusted. But this is the case with many ISPs DNS servers anyway - if it doesn't resolve, you end up at a search page instead of getting a DNS error. This won't affect the majority of users in a way they perceive. Is that a good thing? Most of the time...

    Overall, if the DNS server I used was smart enough to prevent successful lookups of records created recently (>1 day), records associated with IPs that saw more than n records added per time period, and a maybe one or two other basic things, I'd probably have a significantly reduced vulnerability to drive by downloads, bots depending on fast fluxing C&C servers, and other actively nefarious threats.

    1. Re:This could be good, this could be bad... by alphatel · · Score: 1

      It seems there is no doubt that this will be used the wrong way. Just look at all the domains that don't resolve which your ISP tries to "help" by sending you to lots of lovely ad pages. What if Wikileaks gets on the Blacklist? No matter what this is goodbye net neutrality.

      --
      When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
  15. inside out by reiisi · · Score: 1

    Filtering the DNS should be at the bridge to the LAN, and/or the end-user's machine.

    Reputation belongs on reputation servers. We don't have many of those yet, and what we do have are implemented wrong, but that's where they belong.

    It would be good in many cases for the user's machine to be able to pop up a notice on first access to a domain:

    "This domain has a reputation for attacking visitors with malware."

    or that kind of thing. But that's not DNS, that's reputation, and people should be able/required to choose whom they depend on concerning reputation, generally choosing more than one reputation server.

    Just like when you access your bank, you don't want to depend on the DNS to tell you it's your bank. The best thing there would be to have the bank run three security responders to exchange encrypted tokens with and confirm the server that you are connecting to is the bank's server. Three for redundancy, and encrypted tokens because even the Mac address is not dependable.

    Most of the time, when you're just surfing, you would not need or even want you reputation service to be encrypted. Only when you explicitly tell the browser to check.

    On the other hand, it would be nice to have automatic following redundancy in your DNS path, just to raise the bar against the MIM: your LAN's internal DNS would go ahead and return the IP address given, but then check a different DNS server while you are downloading the first page from that server.

    I suppose a reputation might be useful in determining between a following check and a preceding check.

    --
    Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
  16. Ugggh! by Anonymous Coward · · Score: 0

    Wrong wrong wrong wrong wrong!!!!!

    DNS is _NOT_ the place to manage and check reputation. This has been solved elsewhere, further up the network stack, precisely where it belongs. DNS is a simple resolution protocol defined for a very specific purpose. Why the heck is everybody always trying to drive security concerns further and further down the stack? The most secure network is once in which you literally lay the cable for yourself where you have completely physical control over how bits move from place to place. As soon as you decide that's too expensive (like practically every modern network user effectively decided), you begin to give up some level of security. Driving security concerns further and further down the stack simply increases costs for everyone (without asking them whether they want to pay), because you're trying to approximate the security you had when you smelted the copper, laid the wiring, and plugged in the jacks yourself. There is no agreement on what is "secure enough", so you must not drive those concerns down the stack toward a lowest common denominator, rather you must provide an environment where individuals are provided complete visibility to their security situation, and then choose what tools to use ON THEIR OWN to manage that situation.

    Not only that, but "consensus" is a rather poor substitute for known intent. It's ok when we're deciding which youtube videos are sweet, but when we're deciding which sites are accessible/suspect and which aren't, the stakes are far higher, and therefore the desire by those with ill intent to utilize social attack vectors will go up. One need only witness the hundreds of IRC networks that exist to see what happens when "consensus" shifts every direction and networks splinter over trivialities and trumped up charges.