[dns-operations] shunning malware-hosting registrars
WBrown at e1b.org
WBrown at e1b.org
Tue Jan 28 16:45:12 UTC 2014
Stephane Bortzmeyer <bortzmeyer at nic.fr>
> On Tue, Jan 28, 2014 at 10:43:21AM -0500,
> Daniel Sterling <sterling.daniel at gmail.com> wrote
> a message of 31 lines which said:
> > Would it be possible for the larger DNS community to blacklist and
> > stop serving domains from registrars that are known to be friendly
> > to malware authors? For example, the recent FileZilla malware 
> > uses domains hosted by Naunet.ru. The Avast staff say that registrar
> > "ignores requests to suspend illegal domains."
> This goes on a very slippery slope. First, "illegal" does not mean the
> same thing in different countries (showing a female bare breast may be
> illegal in Saudi Arabia but not in Sweden). Second, evaluating if
> something is actually illegal can be tricky, even for a trained
> judge. Third, once you start doing this, you can bet a lot of money
> that many people will request it from you: the entertainment industry,
> the State, the local police, the local cult, etc.
Isn't this the premise of OpenDNS, to filter by altering the data for
sites they deem "harmful"?
> > Browsers such as Chrome and Firefox use a blacklist to discourage
> > users from visiting malware sites, so there is at least some
> > precedent.
> Doing action X in the end points is normal: the user can always choose
> what he wants to see or not. Doing it in the infrastructure (the DNS)
> is a gross violation of network neutrality and a danger for the
> Internet (for instance, it will encourage users to move to
> "alternative" resolvers or systems, which may be actually more
If this were done at the TLD level, this could be a problem. If someone
were to publish a list of suspect domains and a recursive resolver were to
check that list, would that be any different than checking an RBL for
known spam sources? Spamhaus has successfully fought spammers saying "we
don't block, we just publish a list and it is up to the receiving site to
determine whether they want to accept your email."
And such a technology exists and these lists are available, ie. RPZ.
Spamhaus has their DBL, but those domains are mostly gathered from spam
messages. An RPZ list based on shady registrars would be an interesting
addition to the Internet security landscape.
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.
More information about the dns-operations