Mailing List Archive

On 10/27/23 7:49 AM, John Levine wrote:
> But for obvious good reasons,
> the vast majority of their customers don't

I'd argue that as a service provider deliberately messing with DNS is an
obvious bad thing. They're there to deliver packets.
--
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net

It appears that Bryan Fields <Bryan@bryanfields.net> said:
>-=-=-=-=-=-
>-=-=-=-=-=-
>On 10/27/23 7:49 AM, John Levine wrote:
>> But for obvious good reasons,
>> the vast majority of their customers don't
>
>I'd argue that as a service provider deliberately messing with DNS is an
>obvious bad thing. They're there to deliver packets.

For a network feeding a data center, sure. For a network like
Charter's which is feeding unsophisticated nontechnical users, they
need all the messing they can get.

If you're one of the small minority of retail users that knows enough
about the technology to pick your own resolver, go ahead. But it's
a reasonable default to keep malware out of Grandma's iPad.

R's,
John

> On Oct 27, 2023, at 14:20, John Levine <johnl@iecc.com> wrote:
>
> It appears that Bryan Fields <Bryan@bryanfields.net> said:
>> -=-=-=-=-=-
>> -=-=-=-=-=-
>> On 10/27/23 7:49 AM, John Levine wrote:
>>> But for obvious good reasons,
>>> the vast majority of their customers don't
>>
>> I'd argue that as a service provider deliberately messing with DNS is an
>> obvious bad thing. They're there to deliver packets.
>
> For a network feeding a data center, sure. For a network like
> Charter's which is feeding unsophisticated nontechnical users, they
> need all the messing they can get.
>
> If you're one of the small minority of retail users that knows enough
> about the technology to pick your own resolver, go ahead. But it's
> a reasonable default to keep malware out of Grandma's iPad.
>
> R's,
> John

If it’s such a reasonable default, why don’t any of the public resolvers (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?

DNS isn’t the right place to attack this, IMHO.

Owen

On 10/27/23 2:20 PM, John Levine wrote:
> It appears that Bryan Fields <Bryan@bryanfields.net> said:
>> -=-=-=-=-=-
>> -=-=-=-=-=-
>> On 10/27/23 7:49 AM, John Levine wrote:
>>> But for obvious good reasons,
>>> the vast majority of their customers don't
>> I'd argue that as a service provider deliberately messing with DNS is an
>> obvious bad thing. They're there to deliver packets.
> For a network feeding a data center, sure. For a network like
> Charter's which is feeding unsophisticated nontechnical users, they
> need all the messing they can get.
>
> If you're one of the small minority of retail users that knows enough
> about the technology to pick your own resolver, go ahead. But it's
> a reasonable default to keep malware out of Grandma's iPad.

How does this line up with DoH? Aren't they using hardwired resolver
addresses? I would hope they are not doing anything heroic.

Mike

When you have a sufficiently large mass of non-technical end users,
inevitably some percentage of them will end up doing something like
enabling WAN-interface-facing remote admin access,which then gets pwned and
turned into a botnet. It's a real problem at scale. Compromised CPE routers
in addition to people visiting virus/trojan laden webservers and infecting
their endpoint devices.

good example:

https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389



On Fri, Oct 27, 2023 at 3:37?PM John Levine <johnl@iecc.com> wrote:

> It appears that Bryan Fields <Bryan@bryanfields.net> said:
> >-=-=-=-=-=-
> >-=-=-=-=-=-
> >On 10/27/23 7:49 AM, John Levine wrote:
> >> But for obvious good reasons,
> >> the vast majority of their customers don't
> >
> >I'd argue that as a service provider deliberately messing with DNS is an
> >obvious bad thing. They're there to deliver packets.
>
> For a network feeding a data center, sure. For a network like
> Charter's which is feeding unsophisticated nontechnical users, they
> need all the messing they can get.
>
> If you're one of the small minority of retail users that knows enough
> about the technology to pick your own resolver, go ahead. But it's
> a reasonable default to keep malware out of Grandma's iPad.
>
> R's,
> John
>

* Owen DeLong [Sat 28 Oct 2023, 01:00 CEST]:
>If it’s such a reasonable default, why don’t any of the public
>resolvers (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?

It's generally a service that's offered for money. Quad9 definitely
offer it: https://www.quad9.net/service/threat-blocking


>DNS isn’t the right place to attack this, IMHO.

Why not (apart from a purity argument), and where should it happen
instead? As others pointed out, network operators have a vested
interest in protecting their customers from becoming victims to
malware.


-- Niels.

>> DNS isn’t the right place to attack this, IMHO.
>
> Why not (apart from a purity argument), and where should it happen instead? As others pointed out, network operators have a vested interest in protecting their customers from becoming victims to malware.


Takedowns of the hostile target sites.

You dismiss the purity argument, but IMHO, there’s merit to the purity argument.

Any such DNS filtration, if provided, should be provided on an opt-in basis, not as a default.

I’ve seen plenty of situations where the filters were just plain wrong and if the end user didn’t actively choose that filtration, the target site may be victimized without anyone knowing where to go to complain.

Owen

> If it’s such a reasonable default, why don’t any of the public resolvers (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?

Oh my, you walked right into that one.

https://www.quad9.net/service/threat-blocking/

https://blog.cloudflare.com/introducing-1-1-1-1-for-families/

I'm also surprised nobody seems familiar with Vixie's Response Policy
Zones, a widely supported way to put DNS filtering rules into your own DNS
cache.

https://www.first.org/resources/papers/aa-dec2021/Protective-DNS-a-Boris-Slides.pdf


Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

It appears that <niels=nanog@bakker.net> said:
>* Owen DeLong [Sat 28 Oct 2023, 01:00 CEST]:
>>If it’s such a reasonable default, why don’t any of the public
>>resolvers (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
>
>It's generally a service that's offered for money. Quad9 definitely
>offer it: https://www.quad9.net/service/threat-blocking

Not really for money. Quad9, Cloudflare, and OpenDNS provide filtered DNS for free.

There are expensive versions for enterprise networks but there's
plenty of malware filtering DNS for users.

I'm with you about the purity argument. While it certainly would be
possible to use DNS filtering for political reasons (the "family
friendly" versions arguably do that), the amount of malware and phish
is a large and real threat.

By the way, don't miss Interisle's new report on the cybercrime
supply chain. They (we, actually) found five millions domains
used in crime of at least a million were registered only to do crime.

https://interisle.net/CybercrimeSupplyChain2023.html

R's,
John

It appears that Michael Thomas <mike@mtcc.com> said:
>> If you're one of the small minority of retail users that knows enough
>> about the technology to pick your own resolver, go ahead. But it's
>> a reasonable default to keep malware out of Grandma's iPad.
>
>How does this line up with DoH? Aren't they using hardwired resolver
>addresses? I would hope they are not doing anything heroic.

Generally, no. I believe that Chrome probes whatever resolver is configured
into the system and uses that if it does DoH or DoT.

At one point Firefox was going to send everything to their favorite
DoH resolver but they got a great deal of pushback from people who
pointed out that they had policies on their networks and they'd have
to ban Firefox. Firefox responded with a lame hack
where you can tell your cache to respond to some name and if so
Firefox will use your resolver.

R's,
John

----- Original Message -----
> From: "Owen DeLong via NANOG" <nanog@nanog.org>

>> For a network feeding a data center, sure. For a network like
>> Charter's which is feeding unsophisticated nontechnical users, they
>> need all the messing they can get.
>>
>> If you're one of the small minority of retail users that knows enough
>> about the technology to pick your own resolver, go ahead. But it's
>> a reasonable default to keep malware out of Grandma's iPad.
>>
>> R's,
>> John
>
> If it’s such a reasonable default, why don’t any of the public resolvers (e.g.
> 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?

It's a reasonable default behavior *for default resolver servers for consumer
eyeball networks*.

I knew that was what John meant, and I can't see any reason why you wouldn't
know it too, Owen; this isn't your first rodeo, either.

Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274

I'd agree and disagree, filtering the default isp provided dns server
for consumer and possibly small business, reasonable, not without some
issues, but reasonable. Comcast style filter servers and intercept all
dns headed to other dns servers and redirect them to your own servers
and make it difficult to disable, unreasonable, if people deliberately
choose to use different dns do NOT override that choice at an isp level
(corporate/business firewalls are a bit of a different story), offering
security filtered dns as a default isp provided server is a value add
for many non technical users, filtering beyond security or making it
difficult to use other dns servers is a detriment to users.

my view on small business's with static addresses are a little more
complex, they are more likely to be doing things the filtering might
break, but many of those things also are best done while running your
own recursive resolver, so it may not actually matter that much, but
definitely don't do a forced dns server via redirection of all dns
queries for such users, honestly don't ever do that as an ISP without
specific direct opt in, not opt in by not fighting with sales to remove
a line from an order, or other "opt-in" that isn't actually customer
initiated informed opt-in, I'm looking at you Comcast.

On 10/27/2023 5:20 PM, John Levine wrote:
> It appears that Bryan Fields <Bryan@bryanfields.net> said:
>> -=-=-=-=-=-
>> -=-=-=-=-=-
>> On 10/27/23 7:49 AM, John Levine wrote:
>>> But for obvious good reasons,
>>> the vast majority of their customers don't
>>
>> I'd argue that as a service provider deliberately messing with DNS is an
>> obvious bad thing. They're there to deliver packets.
>
> For a network feeding a data center, sure. For a network like
> Charter's which is feeding unsophisticated nontechnical users, they
> need all the messing they can get.
>
> If you're one of the small minority of retail users that knows enough
> about the technology to pick your own resolver, go ahead. But it's
> a reasonable default to keep malware out of Grandma's iPad.
>
> R's,
> John

> On Oct 28, 2023, at 10:28, Jay R. Ashworth <jra@baylink.com> wrote:
>
> ----- Original Message -----
>> From: "Owen DeLong via NANOG" <nanog@nanog.org>
>
>>> For a network feeding a data center, sure. For a network like
>>> Charter's which is feeding unsophisticated nontechnical users, they
>>> need all the messing they can get.
>>>
>>> If you're one of the small minority of retail users that knows enough
>>> about the technology to pick your own resolver, go ahead. But it's
>>> a reasonable default to keep malware out of Grandma's iPad.
>>>
>>> R's,
>>> John
>>
>> If it’s such a reasonable default, why don’t any of the public resolvers (e.g.
>> 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
>
> It's a reasonable default behavior *for default resolver servers for consumer
> eyeball networks*.
>
> I knew that was what John meant, and I can't see any reason why you wouldn't
> know it too, Owen; this isn't your first rodeo, either.

I knew that’s what he meant and I know what you mean. I still don’t agree.

Owen

>
> DNS isn’t the right place to attack this, IMHO.
>
...

> I’ve seen plenty of situations where the filters were just plain wrong and
> if the end user didn’t actively choose that filtration, the target site may
> be victimized without anyone knowing where to go to complain.


Not much different from IP Geolocation. Probably not the right solution to
many things, but people do it anyways., often causing problems that people
don't know where to go to complain.


On Fri, Oct 27, 2023 at 10:14?PM Owen DeLong via NANOG <nanog@nanog.org>
wrote:

> >> DNS isn’t the right place to attack this, IMHO.
> >
> > Why not (apart from a purity argument), and where should it happen
> instead? As others pointed out, network operators have a vested interest in
> protecting their customers from becoming victims to malware.
>
>
> Takedowns of the hostile target sites.
>
> You dismiss the purity argument, but IMHO, there’s merit to the purity
> argument.
>
> Any such DNS filtration, if provided, should be provided on an opt-in
> basis, not as a default.
>
> I’ve seen plenty of situations where the filters were just plain wrong and
> if the end user didn’t actively choose that filtration, the target site may
> be victimized without anyone knowing where to go to complain.
>
> Owen
>
>

I agree it actually is wise for them to offer a filtered service for those
that want it but opt in for sure

On Fri, Oct 27, 2023, 12:35 PM Bryan Fields <Bryan@bryanfields.net> wrote:

> On 10/27/23 7:49 AM, John Levine wrote:
> > But for obvious good reasons,
> > the vast majority of their customers don't
>
> I'd argue that as a service provider deliberately messing with DNS is an
> obvious bad thing. They're there to deliver packets.
> --
> Bryan Fields
>
> 727-409-1194 - Voice
> http://bryanfields.net
>
>

On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:

> If it’s such a reasonable default, why don’t any of the public resolvers (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
> DNS isn’t the right place to attack this, IMHO.

Are we sure that the filtering is done in the default view - I would suggest the user check to ensure they don't have a filtering service (e.g. parental controls/malware protection) turned on. In my **personal** opinion, the default view should have DNSSEC validation & no filtering; users can always optionally select additional protection services that might include DNS-based filtering as well as other mechanisms.

JL

On Mon, 30 Oct 2023, Livingood, Jason wrote:
> On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:
>
>> If it’s such a reasonable default, why don’t any of the public resolvers (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
>> DNS isn’t the right place to attack this, IMHO.
>
> Are we sure that the filtering is done in the default view - I would suggest the user check to ensure they don't have a filtering service (e.g. parental controls/malware protection) turned on. In my **personal** opinion, the default view should have DNSSEC validation & no filtering; users can always optionally select additional protection services that might include DNS-based filtering as well as other mechanisms.

At Quad9 they are clear that 9.9.9.9 is filtered. Cloudflare 1.1.1.1 is
unfiltered, 1.1.1.2 filters malware, 1.1.1.3 malware and stuff unsuitable
for children.

I have no idea whether Charter uses one of these, some other third party,
or their own. We must know someone there who could tell us.

Regards,
John Levine, johnl@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

On 10/30/23, 16:02, "John R. Levine" <johnl@iecc.com <mailto:johnl@iecc.com>> wrote:

> I have no idea whether Charter uses one of these, some other third party,
or their own.

They don't use those providers as far as I am aware. I've alerted someone from CHTR of this thread.

JL

No, Charter doesn't use those. Charter runs its own anycasted recursive nameservers.

?On 10/30/23, 2:46 PM, "NANOG on behalf of Livingood, Jason via NANOG" <nanog-bounces+rich.compton=charter.com@nanog.org <mailto:charter.com@nanog.org> on behalf of nanog@nanog.org <mailto:nanog@nanog.org>> wrote:


CAUTION: The e-mail below is from an external source. Please exercise caution before opening attachments, clicking links, or following guidance.


On 10/30/23, 16:02, "John R. Levine" <johnl@iecc.com <mailto:johnl@iecc.com> <mailto:johnl@iecc.com <mailto:johnl@iecc.com>>> wrote:


> I have no idea whether Charter uses one of these, some other third party,
or their own.


They don't use those providers as far as I am aware. I've alerted someone from CHTR of this thread.


JL







E-MAIL CONFIDENTIALITY NOTICE:
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.

> On Oct 30, 2023, at 07:58, Livingood, Jason <jason_livingood@comcast.com> wrote:
>
> On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:
>
>> If it’s such a reasonable default, why don’t any of the public resolvers (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
>> DNS isn’t the right place to attack this, IMHO.
>
> Are we sure that the filtering is done in the default view - I would suggest the user check to ensure they don't have a filtering service (e.g. parental controls/malware protection) turned on. In my **personal** opinion, the default view should have DNSSEC validation & no filtering; users can always optionally select additional protection services that might include DNS-based filtering as well as other mechanisms.
>
> JL
>

Looks like 9.9.9.9 is filtered but ONLY for actual verified security threats, not spam, etc.
If you want unfiltered, they offer 9.9.9.10.

Cloudflare offers two different filtered services, but 1.1.1.1 remains unfiltered.

1.1.1.2 is “No Malware”
1.1.1.3 is “No Malware or Adult Content”

So yes, apparently one (and only one) public resolver now filters by default.

I stand by my statement… It should be an opt-in choice, not a default.

Owen

Agreed, it should be 100% opt-in… and I don’t even like the idea of providing filtered DNS at all.

But sadly, judging by the number of neighborhood Facebook group posts I see from people complaining about “their wifi being down” during yet another fiber cut, there are an increasingly large number of end users that expect their ISPs to provide a 100% idiot-proof solution. Security filtering is part of that solution, along with all of the ’set and forget’ mesh wifi systems that clog up spectrum worse than an overdriven CB radio.

Certainly not bulletproof, but as the movie “Idiocracy” turns more and more into a documentary, I think solutions like this will become more commonplace. As long as clueful users can disable it without trouble, I’m perfectly fine with it.

> On Oct 30, 2023, at 6:00?PM, Owen DeLong via NANOG <nanog@nanog.org> wrote:
>
>
>
>> On Oct 30, 2023, at 07:58, Livingood, Jason <jason_livingood@comcast.com> wrote:
>>
>> On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:
>>
>>> If it’s such a reasonable default, why don’t any of the public resolvers (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
>>> DNS isn’t the right place to attack this, IMHO.
>>
>> Are we sure that the filtering is done in the default view - I would suggest the user check to ensure they don't have a filtering service (e.g. parental controls/malware protection) turned on. In my **personal** opinion, the default view should have DNSSEC validation & no filtering; users can always optionally select additional protection services that might include DNS-based filtering as well as other mechanisms.
>>
>> JL
>>
>
> Looks like 9.9.9.9 is filtered but ONLY for actual verified security threats, not spam, etc.
> If you want unfiltered, they offer 9.9.9.10.
>
> Cloudflare offers two different filtered services, but 1.1.1.1 remains unfiltered.
>
> 1.1.1.2 is “No Malware”
> 1.1.1.3 is “No Malware or Adult Content”
>
> So yes, apparently one (and only one) public resolver now filters by default.
>
> I stand by my statement… It should be an opt-in choice, not a default.
>
> Owen
>

On 10/28/23 3:13 AM, John Levine wrote:
> It appears that Michael Thomas <mike@mtcc.com> said:
>>> If you're one of the small minority of retail users that knows enough
>>> about the technology to pick your own resolver, go ahead. But it's
>>> a reasonable default to keep malware out of Grandma's iPad.
>> How does this line up with DoH? Aren't they using hardwired resolver
>> addresses? I would hope they are not doing anything heroic.
> Generally, no. I believe that Chrome probes whatever resolver is configured
> into the system and uses that if it does DoH or DoT.
>
> At one point Firefox was going to send everything to their favorite
> DoH resolver but they got a great deal of pushback from people who
> pointed out that they had policies on their networks and they'd have
> to ban Firefox. Firefox responded with a lame hack
> where you can tell your cache to respond to some name and if so
> Firefox will use your resolver.

That's probably what I'm remembering with Firefox. But doesn't probing
the local resolver sort of defeat the point of DoH? That is, I really
don't want my ISP to be able to snoop on my DNS history. Sending it off
to one of the well known resolvers at least gives me a chance to know
whether they are evil or not because there aren't very many of them vs
every random ISP out there. Since nobody but people like us know about
those resolvers it seems to me that without preconfiguration meaningful
DoH is pretty limited?

Or maybe I just don't understand what problem they were trying to solve?

Mike

> On Nov 1, 2023, at 13:28, Michael Thomas <mike@mtcc.com> wrote:
>
>
> On 10/28/23 3:13 AM, John Levine wrote:
>> It appears that Michael Thomas <mike@mtcc.com> said:
>>>> If you're one of the small minority of retail users that knows enough
>>>> about the technology to pick your own resolver, go ahead. But it's
>>>> a reasonable default to keep malware out of Grandma's iPad.
>>> How does this line up with DoH? Aren't they using hardwired resolver
>>> addresses? I would hope they are not doing anything heroic.
>> Generally, no. I believe that Chrome probes whatever resolver is configured
>> into the system and uses that if it does DoH or DoT.
>>
>> At one point Firefox was going to send everything to their favorite
>> DoH resolver but they got a great deal of pushback from people who
>> pointed out that they had policies on their networks and they'd have
>> to ban Firefox. Firefox responded with a lame hack
>> where you can tell your cache to respond to some name and if so
>> Firefox will use your resolver.
>
> That's probably what I'm remembering with Firefox. But doesn't probing the local resolver sort of defeat the point of DoH? That is, I really don't want my ISP to be able to snoop on my DNS history. Sending it off to one of the well known resolvers at least gives me a chance to know whether they are evil or not because there aren't very many of them vs every random ISP out there. Since nobody but people like us know about those resolvers it seems to me that without preconfiguration meaningful DoH is pretty limited?

The point of DoH is to move the ability to monetize your DNS history away from the public resolver world and into the hands of the content providers and other DoH providers.

I’m not sure I see that as an improvement, but I guess it depends on who you want to donate to.

Personally, I run my own resolvers and that doesn’t leak any data that wouldn’t have to be leaked anyway (after all, the DoH resolvers have to query the upstream authoritative servers on my behalf anyway, and with EDNS0, they’re likely passing along enough to deanonymize those queries, at least in my case.

YMMV

Owen

> On Nov 1, 2023, at 13:28, Michael Thomas <mike@mtcc.com> wrote:
>
>
> On 10/28/23 3:13 AM, John Levine wrote:
>> It appears that Michael Thomas <mike@mtcc.com> said:
>>>> If you're one of the small minority of retail users that knows enough
>>>> about the technology to pick your own resolver, go ahead. But it's
>>>> a reasonable default to keep malware out of Grandma's iPad.
>>> How does this line up with DoH? Aren't they using hardwired resolver
>>> addresses? I would hope they are not doing anything heroic.
>> Generally, no. I believe that Chrome probes whatever resolver is configured
>> into the system and uses that if it does DoH or DoT.
>>
>> At one point Firefox was going to send everything to their favorite
>> DoH resolver but they got a great deal of pushback from people who
>> pointed out that they had policies on their networks and they'd have
>> to ban Firefox. Firefox responded with a lame hack
>> where you can tell your cache to respond to some name and if so
>> Firefox will use your resolver.
>
> That's probably what I'm remembering with Firefox. But doesn't probing the local resolver sort of defeat the point of DoH? That is, I really don't want my ISP to be able to snoop on my DNS history. Sending it off to one of the well known resolvers at least gives me a chance to know whether they are evil or not because there aren't very many of them vs every random ISP out there. Since nobody but people like us know about those resolvers it seems to me that without preconfiguration meaningful DoH is pretty limited?

The point of DoH is to move the ability to monetize your DNS history away from the public resolver world and into the hands of the content providers and other DoH providers.

I’m not sure I see that as an improvement, but I guess it depends on who you want to donate to.

Personally, I run my own resolvers and that doesn’t leak any data that wouldn’t have to be leaked anyway (after all, the DoH resolvers have to query the upstream authoritative servers on my behalf anyway, and with EDNS0, they’re likely passing along enough to deanonymize those queries, at least in my case.

YMMV

Owen