Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[Tim Burke]

Agreed, it should be 100% opt-in… and I don’t even like the idea of providing 
filtered DNS at all. 

But sadly, judging by the number of neighborhood Facebook group posts I see 
from people complaining about “their wifi being down” during yet another fiber 
cut, there are an increasingly large number of end users that expect their ISPs 
to provide a 100% idiot-proof solution. Security filtering is part of that 
solution, along with all of the ’set and forget’ mesh wifi systems that clog up 
spectrum worse than an overdriven CB radio. 

Certainly not bulletproof, but as the movie “Idiocracy” turns more and more 
into a documentary, I think solutions like this will become more commonplace. 
As long as clueful users can disable it without trouble, I’m perfectly fine 
with it.  

> On Oct 30, 2023, at 6:00 PM, Owen DeLong via NANOG  wrote:
> 
> 
> 
>> On Oct 30, 2023, at 07:58, Livingood, Jason  
>> wrote:
>> 
>> On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:
>> 
>>> If it’s such a reasonable default, why don’t any of the public resolvers 
>>> (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
>>> DNS isn’t the right place to attack this, IMHO.
>> 
>> Are we sure that the filtering is done in the default view - I would suggest 
>> the user check to ensure they don't have a filtering service (e.g. parental 
>> controls/malware protection) turned on. In my **personal** opinion, the 
>> default view should have DNSSEC validation & no filtering; users can always 
>> optionally select additional protection services that might include 
>> DNS-based filtering as well as other mechanisms. 
>> 
>> JL
>> 
> 
> Looks like 9.9.9.9 is filtered but ONLY for actual verified security threats, 
> not spam, etc.
> If you want unfiltered, they offer 9.9.9.10.
> 
> Cloudflare offers two different filtered services, but 1.1.1.1 remains 
> unfiltered.
> 
> 1.1.1.2 is “No Malware”
> 1.1.1.3 is “No Malware or Adult Content”
> 
> So yes, apparently one (and only one) public resolver now filters by default.
> 
> I stand by my statement… It should be an opt-in choice, not a default.
> 
> Owen
> 

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[Owen DeLong via NANOG]

> On Oct 30, 2023, at 07:58, Livingood, Jason  
> wrote:
> 
> On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:
> 
>> If it’s such a reasonable default, why don’t any of the public resolvers 
>> (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
>> DNS isn’t the right place to attack this, IMHO.
> 
> Are we sure that the filtering is done in the default view - I would suggest 
> the user check to ensure they don't have a filtering service (e.g. parental 
> controls/malware protection) turned on. In my **personal** opinion, the 
> default view should have DNSSEC validation & no filtering; users can always 
> optionally select additional protection services that might include DNS-based 
> filtering as well as other mechanisms. 
> 
> JL
> 

Looks like 9.9.9.9 is filtered but ONLY for actual verified security threats, 
not spam, etc.
If you want unfiltered, they offer 9.9.9.10.

Cloudflare offers two different filtered services, but 1.1.1.1 remains 
unfiltered.

1.1.1.2 is “No Malware”
1.1.1.3 is “No Malware or Adult Content”

So yes, apparently one (and only one) public resolver now filters by default.

I stand by my statement… It should be an opt-in choice, not a default.

Owen

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[Compton, Rich A]

No, Charter doesn't use those.  Charter runs its own anycasted recursive 
nameservers.

On 10/30/23, 2:46 PM, "NANOG on behalf of Livingood, Jason via NANOG" 
mailto:charter@nanog.org> on behalf of nanog@nanog.org 
> wrote:


CAUTION: The e-mail below is from an external source. Please exercise caution 
before opening attachments, clicking links, or following guidance.


On 10/30/23, 16:02, "John R. Levine" mailto:jo...@iecc.com> 
>> wrote:


> I have no idea whether Charter uses one of these, some other third party, 
or their own. 


They don't use those providers as far as I am aware. I've alerted someone from 
CHTR of this thread. 


JL







E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[Livingood, Jason via NANOG]

On 10/30/23, 16:02, "John R. Levine" mailto:jo...@iecc.com>> 
wrote:

> I have no idea whether Charter uses one of these, some other third party, 
or their own. 

They don't use those providers as far as I am aware. I've alerted someone from 
CHTR of this thread. 

JL

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[John R. Levine]

On Mon, 30 Oct 2023, Livingood, Jason wrote:

On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:


If it’s such a reasonable default, why don’t any of the public resolvers (e.g. 
1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
DNS isn’t the right place to attack this, IMHO.


Are we sure that the filtering is done in the default view - I would suggest the 
user check to ensure they don't have a filtering service (e.g. parental 
controls/malware protection) turned on. In my **personal** opinion, the default 
view should have DNSSEC validation & no filtering; users can always optionally 
select additional protection services that might include DNS-based filtering as 
well as other mechanisms.


At Quad9 they are clear that 9.9.9.9 is filtered.  Cloudflare 1.1.1.1 is 
unfiltered, 1.1.1.2 filters malware, 1.1.1.3 malware and stuff unsuitable 
for children.


I have no idea whether Charter uses one of these, some other third party, 
or their own.  We must know someone there who could tell us.


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

RE: Ford.com network admin

[Dennis Burgess]

That is what is not working.  If I go to the link from this specific prefix, it 
does not work, and I get the error I sent Becki.  

From: Brandon Jackson 
Sent: Monday, October 30, 2023 12:01 PM
To: Kain, Becki (.) 
Cc: Dennis Burgess ; NANOG list 
Subject: Re: Ford.com network admin

I get that too if I just go direct to https://login ford.com, 
but if I use the link from the homepage while it still goes to the same domain 
it appends a bunch of stuff to the end of that link and does work.
On Mon, Oct 30, 2023, 12:11 Kain, Becki (.) via NANOG 
mailto:nanog@nanog.org>> wrote:
From inside of Ford, I get this:

The resource you are looking for has been removed, had its name changed, or is 
temporarily unavailable.

From: NANOG 
mailto:ford@nanog.org>> On Behalf 
Of Dennis Burgess
Sent: Monday, October 30, 2023 12:01 PM
To: nanog@nanog.org
Subject: Ford.com network admin

WARNING: This message originated outside of Ford Motor Company. Use caution 
when opening attachments, clicking links, or responding.

I have a specific subnet of users that are getting denied access to even get to 
the login page at 
https://login.ford.com.
  Looking for someone to contact me offlist about this issue please

Dennis Burgess

Mikrotik : Trainer, Network Associate, Routing Engineer, Wireless Engineer, 
Traffic Control Engineer, Inter-Networking Engineer, Security Engineer, 
Enterprise Wireless Engineer
Hurricane Electric: IPv6 Sage Level
Cambium: ePMP

Author of "Learn RouterOS- Second Edition”
Link Technologies, Inc -- Mikrotik & WISP Support Services
Office: 314-735-0270  Website: 
http://www.linktechs.net
Create your own Tickets via 
https://hd.linktechs.net
Create Wireless Coverage’s with 
www.towercoverage.com
Need MikroTik Cloud Management: 
https://cloud.linktechs.net
Remote Winbox Service: 
http://rwb.linktechs.net

Re: Ford.com network admin

[Brandon Jackson]

I get that too if I just go direct to https://login ford.com, but if I use
the link from the homepage while it still goes to the same domain it
appends a bunch of stuff to the end of that link and does work.

On Mon, Oct 30, 2023, 12:11 Kain, Becki (.) via NANOG 
wrote:

> From inside of Ford, I get this:
>
>
>
> The resource you are looking for has been removed, had its name changed,
> or is temporarily unavailable.
>
>
>
> *From:* NANOG  *On Behalf Of *Dennis
> Burgess
> *Sent:* Monday, October 30, 2023 12:01 PM
> *To:* nanog@nanog.org
> *Subject:* Ford.com network admin
>
>
>
> WARNING: This message originated outside of Ford Motor Company. Use
> caution when opening attachments, clicking links, or responding.
>
>
>
> I have a specific subnet of users that are getting denied access to even
> get to the login page at https://login.ford.com
> .
> Looking for someone to contact me offlist about this issue please
>
>
>
> *[image: LTI-Full_175px]*
>
> *Dennis Burgess*
>
>
> * Mikrotik : Trainer, Network Associate, Routing Engineer, Wireless
> Engineer, Traffic Control Engineer, Inter-Networking Engineer, Security
> Engineer, Enterprise Wireless Engineer*
>
> *Hurricane Electric: **IPv6 Sage Level*
>
> *Cambium: **ePMP*
>
>
>
> Author of "Learn RouterOS- Second Edition”
>
> *Link Technologies, Inc* -- Mikrotik & WISP Support Services
>
> *Office*: 314-735-0270  Website: http://www.linktechs.net
> 
>
> Create your own Tickets via https://hd.linktechs.net
> 
>
> Create Wireless Coverage’s with www.towercoverage.com
> 
>
> Need MikroTik Cloud Management: https://cloud.linktechs.net
> 
>
> Remote Winbox Service: http://rwb.linktechs.net
> 
>
>
>

RE: Ford.com network admin

[Kain, Becki (.) via NANOG]

>From inside of Ford, I get this:

The resource you are looking for has been removed, had its name changed, or is 
temporarily unavailable.

From: NANOG  On Behalf Of Dennis 
Burgess
Sent: Monday, October 30, 2023 12:01 PM
To: nanog@nanog.org
Subject: Ford.com network admin

WARNING: This message originated outside of Ford Motor Company. Use caution 
when opening attachments, clicking links, or responding.

I have a specific subnet of users that are getting denied access to even get to 
the login page at 
https://login.ford.com.
  Looking for someone to contact me offlist about this issue please

[LTI-Full_175px]
Dennis Burgess

Mikrotik : Trainer, Network Associate, Routing Engineer, Wireless Engineer, 
Traffic Control Engineer, Inter-Networking Engineer, Security Engineer, 
Enterprise Wireless Engineer
Hurricane Electric: IPv6 Sage Level
Cambium: ePMP

Author of "Learn RouterOS- Second Edition"
Link Technologies, Inc -- Mikrotik & WISP Support Services
Office: 314-735-0270  Website: 
http://www.linktechs.net
Create your own Tickets via 
https://hd.linktechs.net
Create Wireless Coverage's with 
www.towercoverage.com
Need MikroTik Cloud Management: 
https://cloud.linktechs.net
Remote Winbox Service: 
http://rwb.linktechs.net

Ford.com network admin

[Dennis Burgess]

I have a specific subnet of users that are getting denied access to even get to 
the login page at https://login.ford.com.  Looking for someone to contact me 
offlist about this issue please

[LTI-Full_175px]
Dennis Burgess

Mikrotik : Trainer, Network Associate, Routing Engineer, Wireless Engineer, 
Traffic Control Engineer, Inter-Networking Engineer, Security Engineer, 
Enterprise Wireless Engineer
Hurricane Electric: IPv6 Sage Level
Cambium: ePMP

Author of "Learn RouterOS- Second Edition"
Link Technologies, Inc -- Mikrotik & WISP Support Services
Office: 314-735-0270  Website: 
http://www.linktechs.net
Create your own Tickets via https://hd.linktechs.net
Create Wireless Coverage's with www.towercoverage.com
Need MikroTik Cloud Management: 
https://cloud.linktechs.net
Remote Winbox Service: http://rwb.linktechs.net

Re: Any interpol contact

[Daniel Marks via NANOG]

Interpol will never reach out to you, your local federal police liaison will 
contact you (in the US, that’s your regional FBI office) and ask you to contact 
them directly or by calling the main number and giving them a case number from 
the email.

https://www.interpol.int/en/What-you-can-do/Stay-safe/Beware-of-scams-using-INTERPOL-s-name
Beware of scams using INTERPOL’s name
interpol.int


> On Oct 30, 2023, at 08:23, Lu Heng  wrote:
> 
> Hi
> 
> We receive some network abuse request allegedly from Interpol, any contact 
> from Interpol would be appreciated.

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[Livingood, Jason via NANOG]

On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:

> If it’s such a reasonable default, why don’t any of the public resolvers 
> (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
> DNS isn’t the right place to attack this, IMHO.

Are we sure that the filtering is done in the default view - I would suggest 
the user check to ensure they don't have a filtering service (e.g. parental 
controls/malware protection) turned on. In my **personal** opinion, the default 
view should have DNSSEC validation & no filtering; users can always optionally 
select additional protection services that might include DNS-based filtering as 
well as other mechanisms. 

JL

Re: Any interpol contact

[Peter Potvin via NANOG]

Have you tried contacting them through the form on their website?
https://www.interpol.int/en/Contacts/Contact-INTERPOL

~ Peter


On Mon, Oct 30, 2023 at 8:27 AM Lu Heng  wrote:

> Hi
>
> We receive some network abuse request allegedly from Interpol, any contact
> from Interpol would be appreciated.
>

Any interpol contact

[Lu Heng]

Hi

We receive some network abuse request allegedly from Interpol, any contact
from Interpol would be appreciated.