[dns-operations] FW: [IP] Sonic.net implements DNSSEC, performs MITM
Mark Andrews
marka at isc.org
Sat Oct 11 00:01:19 UTC 2014
Assign a couple of EDNS option code points and if the response
should potentially be filtered return those code points with a
filter code and a optional url as the payload which lands on a page
describing why the response should be filtered along with the normal
response. Supporting servers would return the empty option code
if there is not data so that direct request could be avoided.
The clients can then make a sensible decision based on the returned
code points.
e.g.
Adult Only - added by authoritative servers and/or rpz
like mechanism
15+ - added by authoritative servers
12+ - added by authoritative servers
Gambling - added by authoritative servers and/or rpz
like mechanism
Malware - added by a rpz like mechanism and authoritative
servers for sites which are host malware for
research purposes.
Some of the above are subjective and would be set based on the rules
of the juristiction the primary server is located in.
Add to that a new DNS data type (FILTER) which allows operators to tell
servers to add this code to responses. An authoratitive server would
look for a FILTER RRset when responding and extract the matching
QTYPE to populate the EDNS response.
FILTER QTYPE CODE [ URL ]
The records could also be directly queried for when you don't get
a response with the option code set.
I suspect most Adult Only sites would add support for this. They
really don't want under age users and this is a way for them to be
pro-active about stopping under age users using the site.
Web browers can add support for this without requiring the resolver
library to be updated.
In message <D05DB41F.E4446%jason_livingood at cable.comcast.com>, "Livingood, Jason" writes:
>
> Noticed this on another list. It made me wonder if it was worth resurrectin=
> g & trying to publish this old individual I-D, which contained recommendati=
> ons for opt-in and opt-out, among other things that would have been useful =
> in this case.
>
> Old drafts:
> http://tools.ietf.org/html/draft-livingood-dns-malwareprotect-02
> http://tools.ietf.org/html/draft-livingood-dns-redirect-03
>
> - Jason Livingood
>
>
> On 10/10/14, 2:33 PM, "Dave Farber via ip" <ip at listbox.com<mailto:ip at listbo=
> x.com>> wrote:
>
> ---------- Forwarded message ----------
> From: "Lauren Weinstein" <lauren at vortex.com<mailto:lauren at vortex.com>>
> Date: Oct 10, 2014 2:04 PM
> Subject: [ NNSquad ] "Sonic.net implements DNSSEC, performs MITM against cu=
> stomers. Are they legally liable?"
> To: <nnsquad at nnsquad.org<mailto:nnsquad at nnsquad.org>>
> Cc:
>
>
> "Sonic.net implements DNSSEC, performs MITM against customers. Are they
> legally liable?"
>
> (Gname): http://permalink.gmane.org/gmane.comp.encryption.general/21150
>
> > Sonic implemented and deployed DNSSEC - and put it on their shiny
> > new servers along with an 'RBZ service' that censors supposed malware
> > and phishing sites. And while they told their customers about
> > DNSSEC, they didn't mention the 'RBZ service.'
> >
> > They didn't get prior informed consent from their customers. In fact
> > they didn't inform their customers, beyond quietly putting up a few
> > mentions on webpages their customers normally have no reason to look
> > at.
> >
> > They didn't provide a click-through link enabling customers to get th=
> e
> > content anyway.
> >
> > And they diverted traffic to a page that does not mention who is doin=
> g
> > the diversion, how, or why, or how to opt out.
> ...
> > Black hats immediately found a way to get sites they dislike onto
> > the list of supposed malware and phishing sites.
> >
> > Among the blocked sites:
> > Local democratic party campaigners (first post).
> >
> > Financial services and markets - at a crucial time. (page 4).
> >
> > Software development sites (apparently some devs use the same
> > utility network libraries used by malware devs, so the
> > unknown-because-todays-compilation executables have code
> > in common with known malware and aren't on the whitelist...)
>
> - - -
>
> --Lauren--
> Lauren Weinstein (lauren at vortex.com<mailto:lauren at vortex.com>): http://www.=
> vortex.com/lauren
> Founder:
> - Network Neutrality Squad: http://www.nnsquad.org
> - PRIVACY Forum: http://www.vortex.com/privacy-info
> Co-Founder: People For Internet Responsibility: http://www.pfir.org/pfir-in=
> fo
> Member: ACM Committee on Computers and Public Policy
> I am a consultant to Google -- I speak only for myself, not for them.
> Lauren's Blog: http://lauren.vortex.com
> Google+: http://google.com/+LaurenWeinstein
> Twitter: http://twitter.com/laurenweinstein
> Tel: +1 (818) 225-2800<tel:%2B1%20%28818%29%20225-2800> / Skype: vortex.com=
> <http://vortex.com>
> _______________________________________________
> nnsquad mailing list
> http://lists.nnsquad.org/mailman/listinfo/nnsquad
> Archives<https://www.listbox.com/member/archive/247/=3Dnow>[https://www.lis=
> tbox.com/images/feed-icon-10x10.jpg]<https://www.listbox.com/member/archive=
> /rss/247/11628208-43aa1cd2> | Modify<https://www.listbox.com/member/?member=
> _id=3D11628208&id_secret=3D11628208-20874b84> Your Subscription | Unsubscri=
> be Now<https://www.listbox.com/unsubscribe/?member_id=3D11628208&id_secret=
> =3D11628208-33eb44fc&post_id=3D20141010143359:FDB071EE-50AB-11E4-9334-B5E9E=
> BE6CC05> [https://www.listbox.com/images/listbox-logo-small.png] <http://=
> www.listbox.com>
>
> --_000_D05DB41FE4446jasonlivingoodcablecomcastcom_
> Content-Type: text/html; charset="us-ascii"
> Content-ID: <E469BDE6B8A27D478731E5E5959D2479 at cable.comcast.com>
> Content-Transfer-Encoding: quoted-printable
>
> <html>
> <head>
> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
> >
> </head>
> <body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
> e-break: after-white-space; color: rgb(0, 0, 0); font-size: 16px; font-fami=
> ly: Calibri, sans-serif;">
> <div>
> <div>Noticed this on another list. It made me wonder if it was worth resurr=
> ecting & trying to publish this old individual I-D, which contained rec=
> ommendations for opt-in and opt-out, among other things that would have bee=
> n useful in this case. </div>
> <div><br>
> </div>
> <div>Old drafts: </div>
> <div><a href=3D"http://tools.ietf.org/html/draft-livingood-dns-malwareprote=
> ct-02">http://tools.ietf.org/html/draft-livingood-dns-malwareprotect-02</a>=
> </div>
> <div><a href=3D"http://tools.ietf.org/html/draft-livingood-dns-redirect-03"=
> >http://tools.ietf.org/html/draft-livingood-dns-redirect-03</a></div>
> <div><br>
> </div>
> </div>
> <div>- Jason Livingood</div>
> <div><br>
> </div>
> <div><br>
> </div>
> <span id=3D"OLK_SRC_BODY_SECTION">
> <div>
> <div>On 10/10/14, 2:33 PM, "Dave Farber via ip" <<a href=3D"ma=
> ilto:ip at listbox.com">ip at listbox.com</a>> wrote:</div>
> </div>
> <div><br>
> </div>
> <blockquote id=3D"MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style=3D"BORDER-LEFT:=
> #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;">
> <div>
> <div>
> <div class=3D"gmail_quote">---------- Forwarded message ----------<br>
> From: "Lauren Weinstein" <<a href=3D"mailto:lauren at vortex.com"=
> >lauren at vortex.com</a>><br>
> Date: Oct 10, 2014 2:04 PM<br>
> Subject: [ NNSquad ] "Sonic.net implements DNSSEC, performs MITM again=
> st customers. Are they legally liable?"<br>
> To: <<a href=3D"mailto:nnsquad at nnsquad.org">nnsquad at nnsquad.org</a>><=
> br>
> Cc: <br>
> <br type=3D"attribution">
> <br>
> "Sonic.net implements DNSSEC, performs MITM against customers. Are the=
> y<br>
> legally liable?"<br>
> <br>
> (Gname): <a href=3D"http://permalink.gmane.org/gmane.comp.encryption.genera=
> l/21150" target=3D"_blank">
> http://permalink.gmane.org/gmane.comp.encryption.general/21150</a><br>
> <br>
> > Sonic implemented and deployed DNSSEC - and put it on th=
> eir shiny<br>
> > new servers along with an 'RBZ service' that censors sup=
> posed malware<br>
> > and phishing sites. And while they told their cust=
> omers about<br>
> > DNSSEC, they didn't mention the 'RBZ service.'<br>
> ><br>
> > They didn't get prior informed consent from their custom=
> ers. In fact<br>
> > they didn't inform their customers, beyond quietly putti=
> ng up a few<br>
> > mentions on webpages their customers normally have no re=
> ason to look<br>
> > at.<br>
> ><br>
> > They didn't provide a click-through link enabling custom=
> ers to get the<br>
> > content anyway.<br>
> ><br>
> > And they diverted traffic to a page that does not mentio=
> n who is doing<br>
> > the diversion, how, or why, or how to opt out.<br>
> ...<br>
> > Black hats immediately found a way to get sites they dis=
> like onto<br>
> > the list of supposed malware and phishing sites.<br>
> ><br>
> > Among the blocked sites:<br>
> > Local democratic party campaigners (first po=
> st).<br>
> ><br>
> > Financial services and markets - at a crucia=
> l time. (page 4).<br>
> ><br>
> > Software development sites (apparently some =
> devs use the same<br>
> > utility network libraries used by ma=
> lware devs, so the<br>
> > unknown-because-todays-compilation e=
> xecutables have code<br>
> > in common with known malware and are=
> n't on the whitelist...)<br>
> <br>
> - - -<br>
> <br>
> --Lauren--<br>
> Lauren Weinstein (<a href=3D"mailto:lauren at vortex.com">lauren at vortex.com</a=
> >): <a href=3D"http://www.vortex.com/lauren" target=3D"_blank">
> http://www.vortex.com/lauren</a><br>
> Founder:<br>
> - Network Neutrality Squad: <a href=3D"http://www.nnsquad.org" target=
> =3D"_blank">http://www.nnsquad.org</a><br>
> - PRIVACY Forum: <a href=3D"http://www.vortex.com/privacy-info" targe=
> t=3D"_blank">http://www.vortex.com/privacy-info</a><br>
> Co-Founder: People For Internet Responsibility: <a href=3D"http://www.pfir.=
> org/pfir-info" target=3D"_blank">
> http://www.pfir.org/pfir-info</a><br>
> Member: ACM Committee on Computers and Public Policy<br>
> I am a consultant to Google -- I speak only for myself, not for them.<br>
> Lauren's Blog: <a href=3D"http://lauren.vortex.com" target=3D"_blank">http:=
> //lauren.vortex.com</a><br>
> Google+: <a href=3D"http://google.com/+LaurenWeinstein" target=3D"_=
> blank">http://google.com/+LaurenWeinstein</a><br>
> Twitter: <a href=3D"http://twitter.com/laurenweinstein" target=3D"_blank">h=
> ttp://twitter.com/laurenweinstein</a><br>
> Tel: <a href=3D"tel:%2B1%20%28818%29%20225-2800" value=3D"+18182252800"=
> >+1 (818) 225-2800</a> / Skype:
> <a href=3D"http://vortex.com" target=3D"_blank">vortex.com</a><br>
> _______________________________________________<br>
> nnsquad mailing list<br>
> <a href=3D"http://lists.nnsquad.org/mailman/listinfo/nnsquad" target=3D"_bl=
> ank">http://lists.nnsquad.org/mailman/listinfo/nnsquad</a><br>
> </div>
> <div style=3D"width:auto;margin:0;padding:5px;background-color:#fff;clear:b=
> oth;border-top: 1px solid #ccc;" bgcolor=3D"#ffffff">
> <table border=3D"0" cellspacing=3D"0" cellpadding=3D"0" width=3D"100%" styl=
> e=3D"background-color:#fff" bgcolor=3D"#ffffff">
> <tbody>
> <tr>
> <td padding=3D"4px"><font color=3D"#333333" size=3D"1" style=3D"font-family=
> :helvetica, sans-serif;"><a style=3D"text-decoration:none;color:#669933;bor=
> der-bottom: 1px solid #444444" href=3D"https://www.listbox.com/member/archi=
> ve/247/=3Dnow" title=3D"Go to archives for ip">Archives</a><a border=3D"0" =
> style=3D"text-decoration:none;color:#669933" href=3D"https://www.listbox.co=
> m/member/archive/rss/247/11628208-43aa1cd2" title=3D"RSS feed for ip"><img =
> border=3D"0" src=3D"https://www.listbox.com/images/feed-icon-10x10.jpg"></a=
> >
> | <a style=3D"text-decoration:none;color:#669933;border-bottom: 1px solid =
> #444444" href=3D"https://www.listbox.com/member/?member_id=3D11628208&i=
> d_secret=3D11628208-20874b84" title=3D"">
> Modify</a> Your Subscription | <a style=3D"text-decoration:none;color:#6699=
> 33;border-bottom: 1px solid #444444" href=3D"https://www.listbox.com/unsubs=
> cribe/?member_id=3D11628208&id_secret=3D11628208-33eb44fc&post_id=
> =3D20141010143359:FDB071EE-50AB-11E4-9334-B5E9EBE6CC05" title=3D"">
> Unsubscribe Now</a> </font></td>
> <td valign=3D"top" align=3D"right"><a style=3D"border-bottom:none;" href=3D=
> "http://www.listbox.com"><img src=3D"https://www.listbox.com/images/listbox=
> -logo-small.png" title=3D"Powered by Listbox" border=3D"0"></a></td>
> </tr>
> </tbody>
> </table>
> </div>
> </div>
> </div>
> </blockquote>
> </span>
> </body>
> </html>
>
> --_000_D05DB41FE4446jasonlivingoodcablecomcastcom_--
>
> --===============0058006698110914526==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> --===============0058006698110914526==--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list