[anti-abuse-wg] DNS Abuse, Abuse of Privacy & Legitimizing Criminal Activity

On Tue, 03 Jan 2017 09:42:38 -0800
"Luis E. Muñoz" <lem at uniregistry.link> wrote:

> On 3 Jan 2017, at 2:30, ox wrote:
> > When it becomes a "STANDARD" (ACCEPTABLE) and nefarious behavior is
> > suddenly "the way things work" - then this is of serious concern.
> 
> You seem to be assigning intent to a tool. A hammer in the hands of
> an artist can produce a beautiful form of art while the same hammer
> can be used to hurt someone. It's not the hammer's fault. Besides,
> RPZ is not a requirement to implement the "walled gardens" you're
> describing. The same thing can be achieved by other, simpler means.
> 

by the same argument then it would be perfectly fine for society to
promote the distribution of DDOS tools, zero day hacking tools and,
well methods to defraud Internet users, define best practise for
Phishing, etc.


and no, of course you do not need RPZ to create "walled gardens"
but discussing it "as normal practice" and "the way DNS works" and
"okay" is what serves to legitimize RPZ as "perfectly fine"

Whereas in truth, it is EVIL.


> > My objections are easy: Defining a clear standard on how DNS tells 
> > lies
> > to users, and different lies to different users, depending on which
> > user is doing the asking, and then hiding the truth of your lies
> > from your users, is EVIL!
> 
> If you find the "lying" unacceptable, then this is what should be 
> targeted, not the tools that are being used -- which BTW have
> positive uses that IMO far outweighs the abuse you're describing.
> Consider this use case: RPZ can be used to prevent a set of known DNS
> names from resolving, stopping the spread of computer malware.
> Moreover, it can also be used to alert operators of infected machines
> that their computers have been compromised.
> 

Trillions and trillions of domain names can resolve to a single ip number.

Please give me one (as in singular) just ONE example of a domain that
has trillions of IP numbers?

Water does not flow uphill. 

DNS firewalls are stupid.

> I'm at least hesitant to describe any of those as lies. It's just a 
> protocol exchange -- my machine asked for a name-to-IP map and
> received a suitable response, even one that actually fitted better
> with my current situation.
> 

You are wrong.

When your user asks you for Google.com and you lie, this is a lie.

It is not just a lie, it is fraud.

If you then still take that a step further and tell different lies to
different users (depends who is asking) 

And, RPZ stil ltakes that a step further, you deceive and hide your
lies from your users

AND RPZ makes the management of this easy and defines methods how this
is done - It is simply a hacking tool that promotes deception, secrets,
fraud and other criminal activity. 

> Granted, this is not the only use case. I dislike walled gardens,
> which is why I take measures to avoid them -- yet I won't attack the 
> underlying technology because as I said, has far more positive uses.
> 

There are many things about RPZ which is wrong - so many that it is EVIL!

And I am happy to discuss all the EVIL bits, which starts at the very foundation of RPZ
and goes all the way up to the roof...
 

> Best regards
> 
> -lem
> 
> 
> Luis Muñoz
> Director, Registry Operations
> ____________________________
> 
> http://www.uniregistry.link/
> 2161 San Joaquin Hills Road
> Newport Beach, CA 92660
> 
> Office +1 949 706 2300 x 4242
> lem at uniregistry.link