[anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity
- Previous message (by thread): [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity
- Next message (by thread): [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Simon Forster
simon-lists at ldml.com
Tue Jan 3 14:14:48 CET 2017
Andre Your rhetoric makes it quite clear that you have taken a position and will stick to it. That’s fine. We’ll just have to agree to disagree. All the best Simon > On 3 Jan 2017, at 10:30, ox <andre at ox.co.za> wrote: > > On Tue, 3 Jan 2017 10:07:36 +0000 > Simon Forster <simon-lists at ldml.com> wrote: >> Hello Andre >> > Hello Simon, > >> An interesting take on a mechanism that’s been available for close to >> 7 years now > > And, from the first DNS servers there has been people that has resolved > example.com to whatever IP they choose... so what? > > Many large ISP's resolve sadfgsdjfgn4563456346.com to their own home > page (or a "register this domain") page -- even though whatever > question was asked - is not registered at all. > > When it becomes a "STANDARD" (ACCEPTABLE) and nefarious behavior is > suddenly "the way things work" - then this is of serious concern. > > Your reply, in a nutshell is: "This is the way things work, there is > nothing wrong with it and if you do not like it setup your own > resolvers" > > My objections are easy: Defining a clear standard on how DNS tells lies > to users, and different lies to different users, depending on which > user is doing the asking, and then hiding the truth of your lies from > your users, is EVIL! > > Allowing the easy management of "private Internet" in as a standard, is > EVIL > > RPZ is the start of the end of the open and free Internet. > >> Largely I believe you’re on the wrong track with your post — at >> pretty much every level. Response Policy Zones (RPZ’s aka DNS >> firewalls) are a powerful tool to allow individuals, organisations or >> society better to control access to the darker corners of the >> internet. As per Vixie’s original paper (see above reference), this >> can circumvent a lot of harm for the average user. >> > > as I said: trillions of domain names can resolve to ONE ip number. > > a "DNS firewall" is a silly technical argument against abuse. > > What is of concern is "private" internets and this "standard" allowing > easy management of lies - and then doing it in the dark, so that users > have no way of knowing that they are being lied to (or "protected") > >> As with any powerful tool, it can be used with ill intent but >> overall, this is a useful addition to an organisation’s security >> arsenal. >> > > Distributing hacker and cracker tools is also fine, I guess. But it is > very wrong to define actual standards for how to break into servers and > networks. - And making that a standard. > >> You express concerns wrt governments. Governments have a tendency to >> do what what they want to do irrespective of the tools available to >> them — after all, compliance with their rules is not their problem, >> they just need to prosecute those that fail to follow the new rules. >> > Also, it allows and empowers dictators (AND CRIMINALS) - and now the > dictators can say: This is a "standard" the Internet community accepts > that this is the methods and protocols for "protecting" my "users" > > Yes, Governments do what they want - but defining a standard on how to > tell lies and in such a way that your "users" do not know if they are > being lied to - is nefarious and evil. > > Your objection to my allegations are quite suspect as you have not > mentioned one single technical reason why making this EVIL method of > operation is not abuse? > >> Irrespective of any philosophical objections you’re throwing out >> here, the resolution to your problem is incredibly simple — run your >> own recursive resolver. In this day and age an incredibly simple >> thing to do (which is another, markedly different problem). >> > > Sure, and run my own Internet? > > This is exactly the point. > >> >>> On 2 Jan 2017, at 06:48, ox <andre at ox.co.za> wrote: >>> Hello, >>> >>> I wish everyone a prosperous & productive 2017 >>> >>> I wish to cast light on an abuse issue that has the potential to >>> effect, affect and impact the entire Internet >>> As among the proponents of this abuse are certain Government >>> Security Agencies and many other powerful forces, I beg with you to >>> attempt to understand how the changes being effected right now, also >>> affects yourself right now and how it will affect you in the >>> future. >>> My idea with this post is three fold, firstly, to educate, secondly >>> to open discussion and thirdly to agitate for change. >>> DNS Abuse >>> ---------------- >>> Sometimes abuse is creeping, like weed in a garden it becomes more >>> and more and more and does not just happen overnight. In fact, it is >>> so creeping that we do not really see the weeds as we have become >>> used to seeing them. >>> >>> Just because there are so many weeds, it does not change the fact >>> that they are weeds and, in a well maintained garden, they need to >>> be eradicated for the well being of all the plants in the garden. >>> >>> To understand how this is even abuse, and how this will change your >>> own life and the Internet in the future, you need to also understand >>> some basic facts. The arguments for, against the standards, the >>> basic tech concepts, the functional aspects and then understand why >>> this is actually abuse and not just an evil movement, evil >>> standards or generally just plain old evil. >>> >>> Some important concepts in order to understand the technical logic >>> and the "explained purpose" and then, importantly, "the real >>> purpose" of the abusers: >>> >>> Trillions of domain names can resolve to a single ipv4 ip number >>> So, you could have ex.example.com and ex1.example.com and >>> cat.example.com - and have the same for unlimited names from >>> unlimited TLD to a SINGLE ip number. >>> >>> All Domain names are intellectual property - yes, even >>> abc.dsrtif.dsaurthp.example.com >>> >>> If a DNS server is asked for an IP number for google.com and it >>> answers 127.0.0.1 to one user and 0.0.0.0 to a different user >>> (makes up its own answers) - This is simply fraud. as google.com >>> is a trademark. >>> (replace google.com with apple.com or ibm.com facebook.com or >>> any.example.com) >>> >>> The proponents of DNS abuse argue that they are 'protecting' >>> innocent users by using DNS as a 'firewall' to create 'walled >>> gardens' and to respond to one ip number for a certain set of users >>> and a different ip number for different sets of users >>> >>> Of course, this argument is fatally flawed as per my example above. >>> Their response is that there is sometimes multi homed ip numbers >>> (100 domains on a single ip number) and that blocking per ip number >>> blocks innocent domains as well. >>> >>> In order for you to form your own opinion you need to know that the >>> majority of DNS servers use the same software and that there are new >>> standards being introduced to formalize Internet Fraud. This >>> Internet Fraud empowers African Dictators to easily justify 'walled >>> garden' countries and is set to revolutionize your own Internet >>> access. It also empowers, facilitates and allows easy management >>> to aggressive ISP's, multi nationals and many nefarious groups and >>> people to manage their activities. So, not only does the new >>> software 'functionality' exist, but it is being legitimized and >>> formalized by https://www.ietf.org/ >>> (whom, ironically, states:The goal of the IETF is to make the >>> Internet work better.) >>> >>> In a nutshell, the above illustrates that the DNS software used by >>> almost all of the Internet is to have functionality that allows DNS >>> operators to LIE to users, but to lie one lie to some/certain users >>> and another LIE to different sets of users (depending on whom is >>> doing the asking) >>> >>> That is not all... >>> >>> It also allows the DNS operators to hide the truth of these lies... >>> >>> and that is not all... >>> >>> The https://www.ietf.org/ is set to legitimize this nefarious >>> behavior under the flag of decency and good Internet operations. >>> >>> So, it would be perfectly fine and acceptable for everyone to start >>> doing this, as it will be a 'standard' >>> >>> What this means for you: The future Internet will not be free and >>> open. >>> >>> Engineers supporting a non functional and fatally flawed approach to >>> abuse is an indication of a far more serious problem - you need to >>> think about that for yourself, and what that means. >>> >>> Of course, this in itself is abuse. This entire situation is >>> Internet Abuse and needs to be discussed as abuse. >>> >>> Andre >>> >>> -- >>> more technical information: >>> https://tools.ietf.org/html/draft-vixie-dns-rpz-00
- Previous message (by thread): [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity
- Next message (by thread): [anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]