[dns-operations] shunning malware-hosting registrars

Wed Jan 29 16:39:30 UTC 2014

On 29 Jan 2014, at 17:23, Mark E. Jeftovic <markjr at easydns.com> wrote:

> Paul Vixie wrote:
> 
>> what i'm specifically hoping for is total transparency. i consider whois
>> privacy to be a blight on internet cohesiveness -- noone who holds a
>> unique internet identifier should be able to hide behind their lawyer's
>> contact details or their registar's contact details -- the internet
>> social contract that i remember agreeing to is, if you want me to
>> respect your allocations, then you will use them responsibly.
> 
> I agree with the sentiment that "if you hide your identity, you
> shouldn't be able to send email to me", etc.
> 
> Having said that, I speak as a convert on whois privacy, having
> originally been opposed to it, I came around and see the point in a lot
> of cases (especially since the number #1 use for whois data is illegal
> data mining anyway)

Total transparency only works when it is enforcable, otherwise you are 
just enabling those who can afford to mask themselves, while giving 
those who have a legitimate use for it a big fat middle finger.

WHOIS privacy does have its uses, as long as you are not running any 
infrastructure under it. If you use the domain as RDNS for any publicly 
accessible servers, particurly those used for sending mail, WHOIS 
privacy pretty much doubles your chances of ending up blacklisted.

>> but it's not just registrants i worry about. we've seen a handful of
>> borderline-to-really bad registrars over the years, who are able to
>> pollute the "internet commons" with malevolent and criminal waste for
>> years at a time until icann or the courts finally have enough evidence
>> to put them out of business. if every domain's registrar were reliably
>> determinable at scale, then after blackholing the 10,000th or so domain
>> from a single registrar, many of us might decide that our best interests
>> lay in blackholing all future domains from that registrar.
> 
> I have long pondered an idea for implementing this sort of mechanism via
> RBLs - and today there is certainly the processing power to do it.
> 
> * An RBL per-registrar where you could simply drop a given registrar's
> domains traffic on the floor
> 
> * RBL per nameserver sets (gets a lot of spammer, malware, botnet, etc)
> 
> * even an RBL for domains with whois privacy enabled, in fact I started
> building this already (now that I think about it, my prototype list
> builder has been turned on for about a year and I haven't looked at it
> in nearly that time)

This occurred to me as well, but I reckon it would need to be a central 
RBL per TLD if that was to work. Otherwise I'd reckon you would run 
into rate limits on queries and such?

The third idea fits RBL mechanics rather well, but how would you 
envision the first idea (dropping anything from a particular registrar) 
working?

Mvg,
Joni