Slashdot Mirror

← Back to Stories (view on slashdot.org)

ISC Offers Response Policy Zones For DNS

Posted by Soulskill on from the cleaning-up-the-e-streets dept.

penciling_in writes "ISC has made the announcement that they have developed a technology that will allow 'cooperating good guys' to provide and consume reputation information about domain names. The release of the technology, called Response Policy Zones (DNS RPZ), was announced at DEFCON. Paul Vixie explains: 'Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to reserve or create a new name in just seconds, and to create millions of them per day. ... If your recursive DNS server has a policy rule which forbids certain domain names from being resolvable, then they will not resolve. And, it's possible to either create and maintain these rules locally, or, import them from a reputation provider. ISC is not in the business of identifying good domains or bad domains. We will not be publishing any reputation data. But, we do publish technical information about protocols and formats, and we do publish source code. So our role in DNS RPZ will be to define 'the spec' whereby cooperating producers and consumers can exchange reputation data, and to publish a version of BIND that can subscribe to such reputation data feeds. This means we will create a market for DNS reputation but we will not participate directly in that market.'"

12 of 39 comments (clear)

  1. Could this be used for political purposes? by gameboyhippo · · Score: 2, Insightful

    I'd hate to see what governments do with this technology or rival corporations. Who's to say that Comcast won't make Rural Town's USA's coop appear to be a site with a negative reputation.

    1. Re:Could this be used for political purposes? by N0Man74 · · Score: 3, Interesting

      First of all, didn't they say that the reputation would be determined by "cooperating good guys"? Since when has Comcast ever been described as "cooperative", or "good"? ;-)

      But seriously, reputations aren't usually vetoes where one person can blackball a server, are they? I would imagine that they would realize that it would be a waste of time, given that all of the other "good guys" would collectively carry too much weight for one entity to effectively sabotage.

      I also imagine that they'd realize that this would be a good way to lose credibility as a "good guy", and maybe have it revoked.

      Hopefully the same principal would apply on the other end if a "non-good guy" gets in the system in order to push bad sites.

      I seriously doubt it will be a magic bullet, but it might help.

  2. Bad, bad idea by 6031769 · · Score: 4, Insightful

    I have a lot of time for Paul Vixie, but in this particular case he has come up with a bad idea. This should absolutely not be handled in DNS. There are plenty of reputation-based schemes already in operation for per-protocol black or white listing which work as well (and as badly) as any such scheme can do. There is no need to drag it down to the core, polluting DNS with yet more protocol shenanigans as we do so.

    DNS was always a simple protocol which did one job and did it well. Please stop trying to expand it to solve problems which have already been solved (by those who wish to do so) elsewhere.

    --
    Burns: We're building a casino!
    McAllister: Arrr. Give me 5 minutes.
    1. Re:Bad, bad idea by bersl2 · · Score: 2, Insightful

      Well, at least you always have the option of querying the root servers directly. Surely they won't have this enabled.

  3. A question that comes to mind... by Yaa+101 · · Score: 3, Interesting

    Are we satisfied of that other reputation system called SSL certificates?

    1. Re:A question that comes to mind... by Korin43 · · Score: 2, Informative

      No. SSL certificates are useful for providing encryption and a better sense of security, but they're far too corporate. The certificate companies aren't going to spend much time checking people are who they say they are for a cheap certificate because it will cost them money. Not to mention that they aren't used on most of the internet (because they're a waste of money on personal sites). This creates a way to come up with better security information for every site.

    2. Re:A question that comes to mind... by Dr.+Evil · · Score: 2, Interesting

      The main reason I'm not using them and I'm sure most others aren't is because SSL sucks for virtual hosts. Else, I'd have a self-signed or cacert cert on all my domains.

    3. Re:A question that comes to mind... by _Sprocket_ · · Score: 2, Insightful

      Aren't CAs establishing (at best) identity and not reputation?

  4. Re:Is this really a great feature? by bsDaemon · · Score: 2, Insightful

    It doesn't just prevent the name from resolving, though. It will also return the fact the query was blocked by RPZ via a STATUS code. At that point, I think it should be up to the application, such as the browser, which is causing the DNS query, to read the STATUS code for the query and provide the appropriate message, such as "server not found" in response to a query with an NXDOMAIN status.

    I actually think this is pretty cool and am excited about it, although I suspect that I'm in the minority on this here. Just pretend I said something scary about evil corporate overlords or fascists or whatever.

  5. Vixie and reputation - that's a winner for sure by Whuffo · · Score: 2

    Paul Vixie already has quite the reputation for high-handed wholesale blocking of sites deemed to be improper. MAPS RBL was his baby and while the political fallout from that misadventure cost him much of his reputation - it looks like he's trying to keep at it but put the blame on someone else this time.

    Regardless of that, this scheme will be afflicted with the same problems that MAPS had. When what the people can see or read depends upon the ratings applied by some special (and probably secret) group then they'll twist this power to serve themselves. Malware or spam? Blocked. Porn? Blocked. Negative opinions about the blocking? Blocked. Wrong political position? Blocked. Didn't pay protection or get approval from the government? Blocked.

    Paul Vixie is undeniably talented and knows a lot about networking. But his knowledge of human nature and how society works is woefully inadequate. Something that is always true: when you attempt to apply technological solutions to societal problems, it doesn't solve the problems and introduces new and usually worse problems. See RIAA / MPAA VS. Everyone for insight as to how blocking creates more problems than it solves.

  6. oh, and follow-up by bsDaemon · · Score: 3, Informative

    it looks like you can also define policy in the RPZ zone so that the domain you're trying to block can pointed to a web server were you have a block message up, presumably describing the policy reason that the site is being listed.

    additionally, there is no requirement that says one must subscribed to a Spamhause-style service, that's just a hypothetical option. Besides, if your recursive DNS servers are blocking stuff you want to get to anyway, you can choose different ones, or set up your own. Setting up BIND as a recursive DNS server is ridiculously easy, and you can ignore RPZ zones to your hearts content then.

  7. This could be good, this could be bad... by mrbene · · Score: 2, Informative

    A whole lot depends on implementation. The initial intent seems to be to provide a mechanism of blocking domain names that have just been created and have high probability of being phishing/spamming/whatever nefarious. Theoretically, DNS could be updated to include the age of the record to help clients make up their own minds of whether to connect or not, but then you'd start on a slippery slope of additional information about records.

    By building the protocol around a layer of abstraction, additional information can be considered - the actual IP that it's resolving to, how rapidly that's changing, how many different domain names are being created against the netblock that this one is created against, and so on. Much richer information, and theoretically can provide much more useful results.

    The implementation? It's going to be problematic for some, since the decision is being made by a 3rd party as to what is trusted. But this is the case with many ISPs DNS servers anyway - if it doesn't resolve, you end up at a search page instead of getting a DNS error. This won't affect the majority of users in a way they perceive. Is that a good thing? Most of the time...

    Overall, if the DNS server I used was smart enough to prevent successful lookups of records created recently (>1 day), records associated with IPs that saw more than n records added per time period, and a maybe one or two other basic things, I'd probably have a significantly reduced vulnerability to drive by downloads, bots depending on fast fluxing C&C servers, and other actively nefarious threats.