Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

2023-10-30 Thread Tim Burke 
Agreed, it should be 100% opt-in… and I don’t even like the idea of providing 
filtered DNS at all. 

But sadly, judging by the number of neighborhood Facebook group posts I see 
from people complaining about “their wifi being down” during yet another fiber 
cut, there are an increasingly large number of end users that expect their ISPs 
to provide a 100% idiot-proof solution. Security filtering is part of that 
solution, along with all of the ’set and forget’ mesh wifi systems that clog up 
spectrum worse than an overdriven CB radio. 

Certainly not bulletproof, but as the movie “Idiocracy” turns more and more 
into a documentary, I think solutions like this will become more commonplace. 
As long as clueful users can disable it without trouble, I’m perfectly fine 
with it.  

> On Oct 30, 2023, at 6:00 PM, Owen DeLong via NANOG  wrote:
> 
> 
> 
>> On Oct 30, 2023, at 07:58, Livingood, Jason  
>> wrote:
>> 
>> On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:
>> 
>>> If it’s such a reasonable default, why don’t any of the public resolvers 
>>> (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
>>> DNS isn’t the right place to attack this, IMHO.
>> 
>> Are we sure that the filtering is done in the default view - I would suggest 
>> the user check to ensure they don't have a filtering service (e.g. parental 
>> controls/malware protection) turned on. In my **personal** opinion, the 
>> default view should have DNSSEC validation & no filtering; users can always 
>> optionally select additional protection services that might include 
>> DNS-based filtering as well as other mechanisms. 
>> 
>> JL
>> 
> 
> Looks like 9.9.9.9 is filtered but ONLY for actual verified security threats, 
> not spam, etc.
> If you want unfiltered, they offer 9.9.9.10.
> 
> Cloudflare offers two different filtered services, but 1.1.1.1 remains 
> unfiltered.
> 
> 1.1.1.2 is “No Malware”
> 1.1.1.3 is “No Malware or Adult Content”
> 
> So yes, apparently one (and only one) public resolver now filters by default.
> 
> I stand by my statement… It should be an opt-in choice, not a default.
> 
> Owen
>

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

2023-10-30 Thread Owen DeLong via NANOG 



> On Oct 30, 2023, at 07:58, Livingood, Jason  
> wrote:
> 
> On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:
> 
>> If it’s such a reasonable default, why don’t any of the public resolvers 
>> (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
>> DNS isn’t the right place to attack this, IMHO.
> 
> Are we sure that the filtering is done in the default view - I would suggest 
> the user check to ensure they don't have a filtering service (e.g. parental 
> controls/malware protection) turned on. In my **personal** opinion, the 
> default view should have DNSSEC validation & no filtering; users can always 
> optionally select additional protection services that might include DNS-based 
> filtering as well as other mechanisms. 
> 
> JL
> 

Looks like 9.9.9.9 is filtered but ONLY for actual verified security threats, 
not spam, etc.
If you want unfiltered, they offer 9.9.9.10.

Cloudflare offers two different filtered services, but 1.1.1.1 remains 
unfiltered.

1.1.1.2 is “No Malware”
1.1.1.3 is “No Malware or Adult Content”

So yes, apparently one (and only one) public resolver now filters by default.

I stand by my statement… It should be an opt-in choice, not a default.

Owen

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

2023-10-30 Thread Compton, Rich A 
No, Charter doesn't use those.  Charter runs its own anycasted recursive 
nameservers.

On 10/30/23, 2:46 PM, "NANOG on behalf of Livingood, Jason via NANOG" 
mailto:charter@nanog.org> on behalf of nanog@nanog.org 
> wrote:


CAUTION: The e-mail below is from an external source. Please exercise caution 
before opening attachments, clicking links, or following guidance.


On 10/30/23, 16:02, "John R. Levine" mailto:jo...@iecc.com> 
>> wrote:


> I have no idea whether Charter uses one of these, some other third party, 
or their own. 


They don't use those providers as far as I am aware. I've alerted someone from 
CHTR of this thread. 


JL







E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

2023-10-30 Thread Livingood, Jason via NANOG 
On 10/30/23, 16:02, "John R. Levine" mailto:jo...@iecc.com>> 
wrote:

> I have no idea whether Charter uses one of these, some other third party, 
or their own. 

They don't use those providers as far as I am aware. I've alerted someone from 
CHTR of this thread. 

JL

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

2023-10-30 Thread John R. Levine 

On Mon, 30 Oct 2023, Livingood, Jason wrote:

On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:


If it’s such a reasonable default, why don’t any of the public resolvers (e.g. 
1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
DNS isn’t the right place to attack this, IMHO.


Are we sure that the filtering is done in the default view - I would suggest the 
user check to ensure they don't have a filtering service (e.g. parental 
controls/malware protection) turned on. In my **personal** opinion, the default 
view should have DNSSEC validation & no filtering; users can always optionally 
select additional protection services that might include DNS-based filtering as 
well as other mechanisms.


At Quad9 they are clear that 9.9.9.9 is filtered.  Cloudflare 1.1.1.1 is 
unfiltered, 1.1.1.2 filters malware, 1.1.1.3 malware and stuff unsuitable 
for children.


I have no idea whether Charter uses one of these, some other third party, 
or their own.  We must know someone there who could tell us.


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

2023-10-30 Thread Livingood, Jason via NANOG 
On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:

> If it’s such a reasonable default, why don’t any of the public resolvers 
> (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
> DNS isn’t the right place to attack this, IMHO.

Are we sure that the filtering is done in the default view - I would suggest 
the user check to ensure they don't have a filtering service (e.g. parental 
controls/malware protection) turned on. In my **personal** opinion, the default 
view should have DNSSEC validation & no filtering; users can always optionally 
select additional protection services that might include DNS-based filtering as 
well as other mechanisms. 

JL

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

2023-10-29 Thread John R. Levine 

If it’s such a reasonable default, why don’t any of the public resolvers (e.g. 
1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?


Oh my, you walked right into that one.

https://www.quad9.net/service/threat-blocking/

https://blog.cloudflare.com/introducing-1-1-1-1-for-families/

I'm also surprised nobody seems familiar with Vixie's Response Policy 
Zones, a widely supported way to put DNS filtering rules into your own DNS 
cache.


https://www.first.org/resources/papers/aa-dec2021/Protective-DNS-a-Boris-Slides.pdf


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

2023-10-28 Thread Delong.com via NANOG 



> On Oct 28, 2023, at 10:28, Jay R. Ashworth  wrote:
> 
> - Original Message -
>> From: "Owen DeLong via NANOG" 
> 
>>> For a network feeding a data center, sure. For a network like
>>> Charter's which is feeding unsophisticated nontechnical users, they
>>> need all the messing they can get.
>>> 
>>> If you're one of the small minority of retail users that knows enough
>>> about the technology to pick your own resolver, go ahead.  But it's
>>> a reasonable default to keep malware out of Grandma's iPad.
>>> 
>>> R's,
>>> John
>> 
>> If it’s such a reasonable default, why don’t any of the public resolvers 
>> (e.g.
>> 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
> 
> It's a reasonable default behavior *for default resolver servers for consumer
> eyeball networks*.
> 
> I knew that was what John meant, and I can't see any reason why you wouldn't 
> know it too, Owen; this isn't your first rodeo, either.

I knew that’s what he meant and I know what you mean. I still don’t agree.

Owen

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

2023-10-28 Thread Jay R. Ashworth 
- Original Message -
> From: "Owen DeLong via NANOG" 

>> For a network feeding a data center, sure. For a network like
>> Charter's which is feeding unsophisticated nontechnical users, they
>> need all the messing they can get.
>> 
>> If you're one of the small minority of retail users that knows enough
>> about the technology to pick your own resolver, go ahead.  But it's
>> a reasonable default to keep malware out of Grandma's iPad.
>> 
>> R's,
>> John
> 
> If it’s such a reasonable default, why don’t any of the public resolvers (e.g.
> 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?

It's a reasonable default behavior *for default resolver servers for consumer
eyeball networks*.

I knew that was what John meant, and I can't see any reason why you wouldn't 
know it too, Owen; this isn't your first rodeo, either.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

2023-10-27 Thread Owen DeLong via NANOG 



> On Oct 27, 2023, at 14:20, John Levine  wrote:
> 
> It appears that Bryan Fields  said:
>> -=-=-=-=-=-
>> -=-=-=-=-=-
>> On 10/27/23 7:49 AM, John Levine wrote:
>>> But for obvious good reasons,
>>> the vast majority of their customers don't
>> 
>> I'd argue that as a service provider deliberately messing with DNS is an 
>> obvious bad thing.  They're there to deliver packets.
> 
> For a network feeding a data center, sure. For a network like
> Charter's which is feeding unsophisticated nontechnical users, they
> need all the messing they can get.
> 
> If you're one of the small minority of retail users that knows enough
> about the technology to pick your own resolver, go ahead.  But it's
> a reasonable default to keep malware out of Grandma's iPad.
> 
> R's,
> John

If it’s such a reasonable default, why don’t any of the public resolvers (e.g. 
1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?

DNS isn’t the right place to attack this, IMHO.

Owen