[anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

Andre

Your rhetoric makes it quite clear that you have taken a position and will stick to it. That’s fine. We’ll just have to agree to disagree.

All the best

Simon

> On 3 Jan 2017, at 10:30, ox <andre at ox.co.za> wrote:
> 
> On Tue, 3 Jan 2017 10:07:36 +0000
> Simon Forster <simon-lists at ldml.com> wrote:
>> Hello Andre
>> 
> Hello Simon,
> 
>> An interesting take on a mechanism that’s been available for close to
>> 7 years now
> 
> And, from the first DNS servers there has been people that has resolved
> example.com to whatever IP they choose... so what?
> 
> Many large ISP's resolve sadfgsdjfgn4563456346.com to their own home
> page (or a "register this domain") page -- even though whatever
> question was asked - is not registered at all.
> 
> When it becomes a "STANDARD" (ACCEPTABLE) and nefarious behavior is
> suddenly "the way things work" - then this is of serious concern.
> 
> Your reply, in a nutshell is: "This is the way things work, there is
> nothing wrong with it and if you do not like it setup your own
> resolvers"
> 
> My objections are easy: Defining a clear standard on how DNS tells lies
> to users, and different lies to different users, depending on which
> user is doing the asking, and then hiding the truth of your lies from
> your users, is EVIL!
> 
> Allowing the easy management of "private Internet" in as a standard, is
> EVIL
> 
> RPZ is the start of the end of the open and free Internet.
> 
>> Largely I believe you’re on the wrong track with your post — at
>> pretty much every level. Response Policy Zones (RPZ’s aka DNS
>> firewalls) are a powerful tool to allow individuals, organisations or
>> society better to control access to the darker corners of the
>> internet. As per Vixie’s original paper (see above reference), this
>> can circumvent a lot of harm for the average user.
>> 
> 
> as I said: trillions of domain names can resolve to ONE ip number.
> 
> a "DNS firewall" is a silly technical argument against abuse.
> 
> What is of concern is "private" internets and this "standard" allowing
> easy management of lies - and then doing it in the dark, so that users
> have no way of knowing that they are being lied to (or "protected")
> 
>> As with any powerful tool, it can be used with ill intent but
>> overall, this is a useful addition to an organisation’s security
>> arsenal. 
>> 
> 
> Distributing hacker and cracker tools is also fine, I guess. But it is
> very wrong to define actual standards for how to break into servers and
> networks. - And making that a standard.
> 
>> You express concerns wrt governments. Governments have a tendency to
>> do what what they want to do irrespective of the tools available to
>> them — after all, compliance with their rules is not their problem,
>> they just need to prosecute those that fail to follow the new rules.
>> 
> Also, it allows and empowers dictators (AND CRIMINALS) - and now the
> dictators can say: This is a "standard" the Internet community accepts
> that this is the methods and protocols for "protecting" my "users" 
> 
> Yes, Governments do what they want - but defining a standard on how to
> tell lies and in such a way that your "users" do not know if they are
> being lied to - is nefarious and evil.
> 
> Your objection to my allegations are quite suspect as you have not
> mentioned one single technical reason why making this EVIL method of
> operation is not abuse?
> 
>> Irrespective of any philosophical objections you’re throwing out
>> here, the resolution to your problem is incredibly simple — run your
>> own recursive resolver. In this day and age an incredibly simple
>> thing to do (which is another, markedly different problem).
>> 
> 
> Sure, and run my own Internet?
> 
> This is exactly the point.
> 
>> 
>>> On 2 Jan 2017, at 06:48, ox <andre at ox.co.za> wrote:
>>> Hello,
>>> 
>>> I wish everyone a prosperous & productive 2017
>>> 
>>> I wish to cast light on an abuse issue that has the potential to
>>> effect, affect and impact the entire Internet
>>> As among the proponents of this abuse are certain Government
>>> Security Agencies and many other powerful forces, I beg with you to
>>> attempt to understand how the changes being effected right now, also
>>> affects yourself right now and how it will affect you in the
>>> future. 
>>> My idea with this post is three fold, firstly, to educate, secondly
>>> to open discussion and thirdly to agitate for change.
>>> DNS Abuse
>>> ----------------
>>> Sometimes abuse is creeping, like weed in a garden it becomes more
>>> and more and more and does not just happen overnight. In fact, it is
>>> so creeping that we do not really see the weeds as we have become
>>> used to seeing them.
>>> 
>>> Just because there are so many weeds, it does not change the fact
>>> that they are weeds and, in a well maintained garden, they need to
>>> be eradicated for the well being of all the plants in the garden.
>>> 
>>> To understand how this is even abuse, and how this will change your
>>> own life and the Internet in the future, you need to also understand
>>> some basic facts. The arguments for, against the standards, the
>>> basic tech concepts, the functional aspects and then understand why
>>> this is actually abuse and not just an evil movement, evil
>>> standards or generally just plain old evil.  
>>> 
>>> Some important concepts in order to understand the technical logic
>>> and the "explained purpose" and then, importantly, "the real
>>> purpose" of the abusers:
>>> 
>>> Trillions of domain names can resolve to a single ipv4 ip number
>>> So, you could have ex.example.com and ex1.example.com and
>>> cat.example.com - and have the same for unlimited names from
>>> unlimited TLD to a SINGLE ip number.
>>> 
>>> All Domain names are intellectual property - yes, even
>>> abc.dsrtif.dsaurthp.example.com
>>> 
>>> If a DNS server is asked for an IP number for google.com and it
>>> answers 127.0.0.1 to one user and 0.0.0.0 to a different user
>>> (makes up its own answers)  - This is simply fraud. as google.com
>>> is a trademark. 
>>> (replace google.com with apple.com or ibm.com facebook.com or
>>> any.example.com)
>>> 
>>> The proponents of DNS abuse argue that they are 'protecting'
>>> innocent users by using DNS as a 'firewall' to create 'walled
>>> gardens' and to respond to one ip number for a certain set of users
>>> and a different ip number for different sets of users
>>> 
>>> Of course, this argument is fatally flawed as per my example above.
>>> Their response is that there is sometimes multi homed ip numbers
>>> (100 domains on a single ip number) and that blocking per ip number
>>> blocks innocent domains as well. 
>>> 
>>> In order for you to form your own opinion you need to know that the
>>> majority of DNS servers use the same software and that there are new
>>> standards being introduced to formalize Internet Fraud. This
>>> Internet Fraud empowers African Dictators to easily justify 'walled
>>> garden' countries and is set to revolutionize your own Internet
>>> access. It also empowers, facilitates and allows easy management
>>> to aggressive ISP's, multi nationals and many nefarious groups and
>>> people to manage their activities. So, not only does the new
>>> software 'functionality' exist, but it is being legitimized and
>>> formalized by https://www.ietf.org/ 
>>> (whom, ironically, states:The goal of the IETF is to make the
>>> Internet work better.)
>>> 
>>> In a nutshell, the above illustrates that the DNS software used by
>>> almost all of the Internet is to have functionality that allows DNS
>>> operators to LIE to users, but to lie one lie to some/certain users
>>> and another LIE to different sets of users (depending on whom is
>>> doing the asking) 
>>> 
>>> That is not all...
>>> 
>>> It also allows the DNS operators to hide  the truth of these lies...
>>> 
>>> and that is not all...
>>> 
>>> The https://www.ietf.org/  is set to legitimize this nefarious
>>> behavior under the flag of decency and good Internet operations.
>>> 
>>> So, it would be perfectly fine and acceptable for everyone to start
>>> doing this, as it will be a 'standard' 
>>> 
>>> What this means for you: The future Internet will not be free and
>>> open.
>>> 
>>> Engineers supporting a non functional and fatally flawed approach to
>>> abuse is an indication of a far more serious problem - you need to
>>> think about that for yourself, and what that means.
>>> 
>>> Of course, this in itself is abuse. This entire situation is
>>> Internet Abuse and needs to be discussed as abuse.
>>> 
>>> Andre
>>> 
>>> --
>>> more technical information:
>>> https://tools.ietf.org/html/draft-vixie-dns-rpz-00