Re: Bind and blacklist IP file
Hello Alans, Tue, 12 Oct 2010 16:52:15 +0300 Alans wrote: On 10/12/2010 03:44 PM, Andrey G. Sergeev (AKA Andris) wrote: Hello Ian, Tue, 12 Oct 2010 10:54:19 +0100 Ian Tait wrote: Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from browsing what you want. Vaguely related, are host headers - a lot of webservers share an IP address/many IP addresses and use host headers to 'display' the correct website. You wouldn't be able to browse a particular website hosted in this fashion, by IP address. If you know the website domain and the corresponding IP address and if your ISP prevents you from accessing this website by timing out or tampering DNS query results you can always put the entry like 192.168.10.20 www.domain.tld. to your hosts file and access the site. This technique is also in use when someone needs to access the site which is on a not delegated domains. Even this way, you should know all the IP of subdomains to work properly. Try it for facebook, open homepage fine but once you login it will fail. If you can query at least one of the authoritative NS for the domain in question then you would have no problems determining the IP addresses you might need. Another thing, we are talking about a technical person, for other users they don't know about hosts file or they don't have access to change it even it they know about it. Sure but please don't forget about the average level of computer skills of the audience the most underground sites have. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello David, Mon, 11 Oct 2010 18:38:24 -0400 David Miller wrote: On 10/11/2010 3:26 PM, Andrey G. Sergeev (AKA Andris) wrote: Hello Alans, Mon, 11 Oct 2010 20:07:40 +0300 Alans wrote: Why not? OpenDNS is a good example i think. Good example? Was it a joke? Do the traceroute on IP addresses of the two OpenDNS resolvers and you'll find that they both are behind the same router. Do you still trust the OpenDNS people who advertise their service as reliable? You are kidding right? ...or was this post a joke? Not at all. OpenDNS is Anycast - http://en.wikipedia.org/wiki/Anycast Thanks, I know what anycast is and about the fact that OpenDNS uses it. Besides of all that it still seems strange that *both* of their public resolvers are behind the *same* router (peer1.rtr1.ams.opendns.com [195.69.144.88] for me). -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
On 13/10/10 12:13 PM, Andrey G. Sergeev and...@aernet.ru wrote: Hello Alans, Tue, 12 Oct 2010 16:52:15 +0300 Alans wrote: On 10/12/2010 03:44 PM, Andrey G. Sergeev (AKA Andris) wrote: Hello Ian, Tue, 12 Oct 2010 10:54:19 +0100 Ian Tait wrote: Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from browsing what you want. Vaguely related, are host headers - a lot of webservers share an IP address/many IP addresses and use host headers to 'display' the correct website. You wouldn't be able to browse a particular website hosted in this fashion, by IP address. If you know the website domain and the corresponding IP address and if your ISP prevents you from accessing this website by timing out or tampering DNS query results you can always put the entry like 192.168.10.20 www.domain.tld. to your hosts file and access the site. This technique is also in use when someone needs to access the site which is on a not delegated domains. Even this way, you should know all the IP of subdomains to work properly. Try it for facebook, open homepage fine but once you login it will fail. If you can query at least one of the authoritative NS for the domain in question then you would have no problems determining the IP addresses you might need. The straight forward answer to the original question is that BIND RPZ features will allow you to isolate domains as requested. Noting that this is _just_ DNS and as others have mentioned, that's hardly a solid wall of unavailability for your blacklisted sites. Another thing, we are talking about a technical person, for other users they don't know about hosts file or they don't have access to change it even it they know about it. Sure but please don't forget about the average level of computer skills of the audience the most underground sites have. -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind and blacklist IP file
-Original Message- From: bind-users-bounces+ian.t=thoughtbubble@lists.isc.org [mailto:bind-users-bounces+ian.t=thoughtbubble@lists.isc.org] On Behalf Of Nuno Paquete Sent: 11 October 2010 19:45 To: sth...@nethelp.no Cc: bind-users@lists.isc.org; uh...@fantomas.sk Subject: Re: Bind and blacklist IP file snip Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from browsing what you want. Vaguely related, are host headers - a lot of webservers share an IP address/many IP addresses and use host headers to 'display' the correct website. You wouldn't be able to browse a particular website hosted in this fashion, by IP address. Ian ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello Ian, Tue, 12 Oct 2010 10:54:19 +0100 Ian Tait wrote: Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from browsing what you want. Vaguely related, are host headers - a lot of webservers share an IP address/many IP addresses and use host headers to 'display' the correct website. You wouldn't be able to browse a particular website hosted in this fashion, by IP address. If you know the website domain and the corresponding IP address and if your ISP prevents you from accessing this website by timing out or tampering DNS query results you can always put the entry like 192.168.10.20 www.domain.tld. to your hosts file and access the site. This technique is also in use when someone needs to access the site which is on a not delegated domains. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
On 10/12/2010 03:44 PM, Andrey G. Sergeev (AKA Andris) wrote: Hello Ian, Tue, 12 Oct 2010 10:54:19 +0100 Ian Tait wrote: Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from browsing what you want. Vaguely related, are host headers - a lot of webservers share an IP address/many IP addresses and use host headers to 'display' the correct website. You wouldn't be able to browse a particular website hosted in this fashion, by IP address. If you know the website domain and the corresponding IP address and if your ISP prevents you from accessing this website by timing out or tampering DNS query results you can always put the entry like 192.168.10.20 www.domain.tld. to your hosts file and access the site. This technique is also in use when someone needs to access the site which is on a not delegated domains. Even this way, you should know all the IP of subdomains to work properly. Try it for facebook, open homepage fine but once you login it will fail. Another thing, we are talking about a technical person, for other users they don't know about hosts file or they don't have access to change it even it they know about it. regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
In article mailman.447.1286891555.555.bind-us...@lists.isc.org, Alans alans...@gmail.com wrote: [ Norwegian Gov vs ISPs, banning domains, and inserting local host entries to subvert such a ban ] Even this way, you should know all the IP of subdomains to work properly. Try it for facebook, open homepage fine but once you login it will fail. Another thing, we are talking about a technical person, for other users they don't know about hosts file or they don't have access to change it even it they know about it. So there's a market opportunity for someone with half a clue to help out his friends. Sam ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
On 11/10/10 1:02 PM, Alans alans...@gmail.com wrote: Hello, Is it possible for bind dns to check the queries, if the returned answer is existed in a file that contains blacklisted IPs then block it? DNS RPZ may do what you want. There is a patch on the isc.org website for 9.4,9.6 and 9.7.1-P2 Described in further detail here: ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt and here: http://www.isc.org/community/blog/201007/taking-back-dns-0 One more thing, from where we can get/buy updated lists of categorized IPs/websites, like Gaming, Porn, Social...? Thanks, Alans ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. regards, Alans On 10/11/2010 02:06 PM, David Peall wrote: Have you looked at: http://www.opendns.com/ -- Dave On 11 October 2010 13:02, Alansalans...@gmail.com wrote: Hello, Is it possible for bind dns to check the queries, if the returned answer is existed in a file that contains blacklisted IPs then block it? One more thing, from where we can get/buy updated lists of categorized IPs/websites, like Gaming, Porn, Social...? Thanks, Alans ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Alans wrote: Hello, Is it possible for bind dns to check the queries, if the returned answer is existed in a file that contains blacklisted IPs then block it? One more thing, from where we can get/buy updated lists of categorized IPs/websites, like Gaming, Porn, Social...? Thanks, Alans You really need a web proxy with filtering software(like squidGuard) and some block lists to do this. http://www.squidguard.org/blacklists.html ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
On 11.10.10 14:16, Alans wrote: Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Why not? OpenDNS is a good example i think. Also, i think as mentioned in Kal's email, DNS RPZ from isc is an approach to implement these functionalities at DNS level. We want to give individuals/customers access to their account to block what they want to block, something similar to OpenDNS but in a small scale. regards, Alans On 10/11/2010 07:37 PM, Matus UHLAR - fantomas wrote: On 11.10.10 14:16, Alans wrote: Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. Unfortunately, in some countries you may be required to do so. The example I know best is, naturally, Norway. In Norway we have what is basically a government requirement for ISPs to block child porn domains, using a list supplied by the police. A decent description of the system, for those of you with a reading knowledge of Norwegian, is here: http://no.wikipedia.org/wiki/Kripos'_barnepornofilter This blocking is *in theory* voluntary - however, the government has made it quite clear that unless a sufficiently high number of the bigger ISPs agree to such blocking, the government will introduce laws which *require* the ISPs to do it. So much for voluntary. Of course, all this will do is prevent accidental surfing to domains on the list. Anybody who *wants* this content can simply run his own name server - and escape the blocking. So much for effectiveness. Oh yeah, there are also the usual problems of collateral damage, no well defined process around the maintenance of the list, etc. The four criteria proposed in this article: http://www.theregister.co.uk/2009/01/13/internet_regulation/ have clearly not been in the minds of the police / politicians that introduced the system. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hi. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. I definetly agree with this. In Norway we have what is basically a government requirement for ISPs to block child porn domains, using a list supplied by the police. Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from browsing what you want. If you want to block IP address access you have to use firewall, or if you are talking about http traffic and have a proxy, maybe you have to block there. That's why I completly agree this should not be blocked at DNS level. Nuno Paquete ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello Matus, Mon, 11 Oct 2010 18:37:43 +0200 Matus UHLAR - fantomas wrote: On 11.10.10 14:16, Alans wrote: Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. Strongly agreed. And doing this brainf***ing stuff could lead to an unpredictable glitches too. Render unto Caesar the things which are Caesar's, and unto God the things that are God's (Matthew 22:21). -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
On 10/11/2010 2:44 PM, Nuno Paquete wrote: Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from browsing what you want. If you want to block IP address access you have to use firewall, or if you are talking about http traffic and have a proxy, maybe you have to block there. That's why I completly agree this should not be blocked at DNS level. To nitpick: address-block-based filtering*could* be implemented in DNS. The same mechanisms that are used to prevent rebinding attacks -- e.g. BIND's *deny-answer-addresses* -- could theoretically be repurposed to strip addresses in certain banned ranges from DNS responses. Arguably this is a misuse/abuse of the feature. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello Steinar, Mon, 11 Oct 2010 19:38:54 +0200 (CEST) sth...@nethelp.no wrote: Unfortunately, in some countries you may be required to do so. The example I know best is, naturally, Norway. In Norway we have what is basically a government requirement for ISPs to block child porn domains, using a list supplied by the police. A decent description of the system, for those of you with a reading knowledge of Norwegian, is here: http://no.wikipedia.org/wiki/Kripos'_barnepornofilter Would you please describe if brief for those who don't read in Norwegian the methods the major Norwegian ISPs use to block the CP domains? -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello Alans, Mon, 11 Oct 2010 20:07:40 +0300 Alans wrote: Why not? OpenDNS is a good example i think. Good example? Was it a joke? Do the traceroute on IP addresses of the two OpenDNS resolvers and you'll find that they both are behind the same router. Do you still trust the OpenDNS people who advertise their service as reliable? P.S. Please don't top-post - this breaks the logic of the discussion thread. Thank you. regards, Alans On 10/11/2010 07:37 PM, Matus UHLAR - fantomas wrote: On 11.10.10 14:16, Alans wrote: Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
On 10/11/2010 3:26 PM, Andrey G. Sergeev (AKA Andris) wrote: Hello Alans, Mon, 11 Oct 2010 20:07:40 +0300 Alans wrote: Why not? OpenDNS is a good example i think. Good example? Was it a joke? Do the traceroute on IP addresses of the two OpenDNS resolvers and you'll find that they both are behind the same router. Do you still trust the OpenDNS people who advertise their service as reliable? You are kidding right? ...or was this post a joke? OpenDNS is Anycast - http://en.wikipedia.org/wiki/Anycast Here is an DNS Stuff Vector Trace for 208.67.222.222 (one of OpenDNS' resolvers): http://www.dnsstuff.com/tools/vectortrace?ip=208.67.222.222token=26314c5ba0c8ae4e2c32430c19d55018 Note that end points are very local to the widely spread start points. From any one location an IP Anycast service will appear to be very local. That is the point. P.S. Please don't top-post - this breaks the logic of the discussion thread. Thank you. regards, Alans On 10/11/2010 07:37 PM, Matus UHLAR - fantomas wrote: On 11.10.10 14:16, Alans wrote: Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. -- -___ David Miller Tiggee LLC dmil...@tiggee.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users