[dns-operations] shunning malware-hosting registrars

Tue Jan 28 16:45:12 UTC 2014

Stephane Bortzmeyer <bortzmeyer at nic.fr>

> On Tue, Jan 28, 2014 at 10:43:21AM -0500,
>  Daniel Sterling <sterling.daniel at gmail.com> wrote 
>  a message of 31 lines which said:
> 
> > Would it be possible for the larger DNS community to blacklist and
> > stop serving domains from registrars that are known to be friendly
> > to malware authors? For example, the recent FileZilla malware [1]
> > uses domains hosted by Naunet.ru. The Avast staff say that registrar
> > "ignores requests to suspend illegal domains."
> 
> This goes on a very slippery slope. First, "illegal" does not mean the
> same thing in different countries (showing a female bare breast may be
> illegal in Saudi Arabia but not in Sweden). Second, evaluating if
> something is actually illegal can be tricky, even for a trained
> judge. Third, once you start doing this, you can bet a lot of money
> that many people will request it from you: the entertainment industry,
> the State, the local police, the local cult, etc.

Isn't this the premise of OpenDNS, to filter by altering the data for 
sites they deem "harmful"?

> > Browsers such as Chrome and Firefox use a blacklist to discourage
> > users from visiting malware sites, so there is at least some
> > precedent.
> 
> Doing action X in the end points is normal: the user can always choose
> what he wants to see or not. Doing it in the infrastructure (the DNS)
> is a gross violation of network neutrality and a danger for the
> Internet (for instance, it will encourage users to move to
> "alternative" resolvers or systems, which may be actually more
> dangerous).

If this were done at the TLD level, this could be a problem.  If someone 
were to publish a list of suspect domains and a recursive resolver were to 
check that list, would that be any different than checking an RBL for 
known spam sources?  Spamhaus has successfully fought spammers saying "we 
don't block, we just publish a list and it is up to the receiving site to 
determine whether they want to accept your email."

And such a technology exists and these lists are available, ie. RPZ. 
Spamhaus has their DBL, but those domains are mostly gathered from spam 
messages.  An RPZ list based on shady registrars would be an interesting 
addition to the Internet security landscape.

Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.