Re: [EXTERNAL] DNS filtering in practice, Re: Charter DNS servers returning malware filtered IP addresses

[Delong.com via NANOG]

> On Nov 1, 2023, at 13:28, Michael Thomas  wrote:
> 
> 
> On 10/28/23 3:13 AM, John Levine wrote:
>> It appears that Michael Thomas  said:
 If you're one of the small minority of retail users that knows enough
 about the technology to pick your own resolver, go ahead.  But it's
 a reasonable default to keep malware out of Grandma's iPad.
>>> How does this line up with DoH? Aren't they using hardwired resolver
>>> addresses? I would hope they are not doing anything heroic.
>> Generally, no.  I believe that Chrome probes whatever resolver is configured
>> into the system and uses that if it does DoH or DoT.
>> 
>> At one point Firefox was going to send everything to their favorite
>> DoH resolver but they got a great deal of pushback from people who
>> pointed out that they had policies on their networks and they'd have
>> to ban Firefox.  Firefox responded with a lame hack
>> where you can tell your cache to respond to some name and if so
>> Firefox will use your resolver.
> 
> That's probably what I'm remembering with Firefox. But doesn't probing the 
> local resolver sort of defeat the point of DoH? That is, I really don't want 
> my ISP to be able to snoop on my DNS history. Sending it off to one of the 
> well known resolvers at least gives me a chance to know whether they are evil 
> or not because there aren't very many of them vs every random ISP out there. 
> Since nobody but people like us know about those resolvers it seems to me 
> that without preconfiguration meaningful DoH is pretty limited?

The point of DoH is to move the ability to monetize your DNS history away from 
the public resolver world and into the hands of the content providers and other 
DoH providers.

I’m not sure I see that as an improvement, but I guess it depends on who you 
want to donate to.

Personally, I run my own resolvers and that doesn’t leak any data that wouldn’t 
have to be leaked anyway (after all, the DoH resolvers have to query the 
upstream authoritative servers on my behalf anyway, and with EDNS0, they’re 
likely passing along enough to deanonymize those queries, at least in my case.

YMMV

Owen

Re: [EXTERNAL] DNS filtering in practice, Re: Charter DNS servers returning malware filtered IP addresses

[Michael Thomas]

On 10/28/23 3:13 AM, John Levine wrote:

It appears that Michael Thomas  said:

If you're one of the small minority of retail users that knows enough
about the technology to pick your own resolver, go ahead.  But it's
a reasonable default to keep malware out of Grandma's iPad.

How does this line up with DoH? Aren't they using hardwired resolver
addresses? I would hope they are not doing anything heroic.

Generally, no.  I believe that Chrome probes whatever resolver is configured
into the system and uses that if it does DoH or DoT.

At one point Firefox was going to send everything to their favorite
DoH resolver but they got a great deal of pushback from people who
pointed out that they had policies on their networks and they'd have
to ban Firefox.  Firefox responded with a lame hack
where you can tell your cache to respond to some name and if so
Firefox will use your resolver.


That's probably what I'm remembering with Firefox. But doesn't probing 
the local resolver sort of defeat the point of DoH? That is, I really 
don't want my ISP to be able to snoop on my DNS history. Sending it off 
to one of the well known resolvers at least gives me a chance to know 
whether they are evil or not because there aren't very many of them vs 
every random ISP out there. Since nobody but people like us know about 
those resolvers it seems to me that without preconfiguration meaningful 
DoH is pretty limited?


Or maybe I just don't understand what problem they were trying to solve?

Mike

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[Tim Burke]

Agreed, it should be 100% opt-in… and I don’t even like the idea of providing 
filtered DNS at all. 

But sadly, judging by the number of neighborhood Facebook group posts I see 
from people complaining about “their wifi being down” during yet another fiber 
cut, there are an increasingly large number of end users that expect their ISPs 
to provide a 100% idiot-proof solution. Security filtering is part of that 
solution, along with all of the ’set and forget’ mesh wifi systems that clog up 
spectrum worse than an overdriven CB radio. 

Certainly not bulletproof, but as the movie “Idiocracy” turns more and more 
into a documentary, I think solutions like this will become more commonplace. 
As long as clueful users can disable it without trouble, I’m perfectly fine 
with it.  

> On Oct 30, 2023, at 6:00 PM, Owen DeLong via NANOG  wrote:
> 
> 
> 
>> On Oct 30, 2023, at 07:58, Livingood, Jason  
>> wrote:
>> 
>> On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:
>> 
>>> If it’s such a reasonable default, why don’t any of the public resolvers 
>>> (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
>>> DNS isn’t the right place to attack this, IMHO.
>> 
>> Are we sure that the filtering is done in the default view - I would suggest 
>> the user check to ensure they don't have a filtering service (e.g. parental 
>> controls/malware protection) turned on. In my **personal** opinion, the 
>> default view should have DNSSEC validation & no filtering; users can always 
>> optionally select additional protection services that might include 
>> DNS-based filtering as well as other mechanisms. 
>> 
>> JL
>> 
> 
> Looks like 9.9.9.9 is filtered but ONLY for actual verified security threats, 
> not spam, etc.
> If you want unfiltered, they offer 9.9.9.10.
> 
> Cloudflare offers two different filtered services, but 1.1.1.1 remains 
> unfiltered.
> 
> 1.1.1.2 is “No Malware”
> 1.1.1.3 is “No Malware or Adult Content”
> 
> So yes, apparently one (and only one) public resolver now filters by default.
> 
> I stand by my statement… It should be an opt-in choice, not a default.
> 
> Owen
> 

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[Owen DeLong via NANOG]

> On Oct 30, 2023, at 07:58, Livingood, Jason  
> wrote:
> 
> On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:
> 
>> If it’s such a reasonable default, why don’t any of the public resolvers 
>> (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
>> DNS isn’t the right place to attack this, IMHO.
> 
> Are we sure that the filtering is done in the default view - I would suggest 
> the user check to ensure they don't have a filtering service (e.g. parental 
> controls/malware protection) turned on. In my **personal** opinion, the 
> default view should have DNSSEC validation & no filtering; users can always 
> optionally select additional protection services that might include DNS-based 
> filtering as well as other mechanisms. 
> 
> JL
> 

Looks like 9.9.9.9 is filtered but ONLY for actual verified security threats, 
not spam, etc.
If you want unfiltered, they offer 9.9.9.10.

Cloudflare offers two different filtered services, but 1.1.1.1 remains 
unfiltered.

1.1.1.2 is “No Malware”
1.1.1.3 is “No Malware or Adult Content”

So yes, apparently one (and only one) public resolver now filters by default.

I stand by my statement… It should be an opt-in choice, not a default.

Owen

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[Compton, Rich A]

No, Charter doesn't use those.  Charter runs its own anycasted recursive 
nameservers.

On 10/30/23, 2:46 PM, "NANOG on behalf of Livingood, Jason via NANOG" 
mailto:charter@nanog.org> on behalf of nanog@nanog.org 
> wrote:


CAUTION: The e-mail below is from an external source. Please exercise caution 
before opening attachments, clicking links, or following guidance.


On 10/30/23, 16:02, "John R. Levine" mailto:jo...@iecc.com> 
>> wrote:


> I have no idea whether Charter uses one of these, some other third party, 
or their own. 


They don't use those providers as far as I am aware. I've alerted someone from 
CHTR of this thread. 


JL







E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[Livingood, Jason via NANOG]

On 10/30/23, 16:02, "John R. Levine" mailto:jo...@iecc.com>> 
wrote:

> I have no idea whether Charter uses one of these, some other third party, 
or their own. 

They don't use those providers as far as I am aware. I've alerted someone from 
CHTR of this thread. 

JL

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[John R. Levine]

On Mon, 30 Oct 2023, Livingood, Jason wrote:

On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:


If it’s such a reasonable default, why don’t any of the public resolvers (e.g. 
1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
DNS isn’t the right place to attack this, IMHO.


Are we sure that the filtering is done in the default view - I would suggest the 
user check to ensure they don't have a filtering service (e.g. parental 
controls/malware protection) turned on. In my **personal** opinion, the default 
view should have DNSSEC validation & no filtering; users can always optionally 
select additional protection services that might include DNS-based filtering as 
well as other mechanisms.


At Quad9 they are clear that 9.9.9.9 is filtered.  Cloudflare 1.1.1.1 is 
unfiltered, 1.1.1.2 filters malware, 1.1.1.3 malware and stuff unsuitable 
for children.


I have no idea whether Charter uses one of these, some other third party, 
or their own.  We must know someone there who could tell us.


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[Livingood, Jason via NANOG]

On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:

> If it’s such a reasonable default, why don’t any of the public resolvers 
> (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
> DNS isn’t the right place to attack this, IMHO.

Are we sure that the filtering is done in the default view - I would suggest 
the user check to ensure they don't have a filtering service (e.g. parental 
controls/malware protection) turned on. In my **personal** opinion, the default 
view should have DNSSEC validation & no filtering; users can always optionally 
select additional protection services that might include DNS-based filtering as 
well as other mechanisms. 

JL

Re: [EXTERNAL] Re: Charter DNS servers returning malware filtered IP addresses

[Glenn Kelley]

I agree it actually is wise for them to offer a filtered service for those
that want it but opt in for sure

On Fri, Oct 27, 2023, 12:35 PM Bryan Fields  wrote:

> On 10/27/23 7:49 AM, John Levine wrote:
> > But for obvious good reasons,
> > the vast majority of their customers don't
>
> I'd argue that as a service provider deliberately messing with DNS is an
> obvious bad thing.  They're there to deliver packets.
> --
> Bryan Fields
>
> 727-409-1194 - Voice
> http://bryanfields.net
>
>

Re: Charter DNS servers returning malware filtered IP addresses

[Tom Beecher]

>
> DNS isn’t the right place to attack this, IMHO.
>
...

> I’ve seen plenty of situations where the filters were just plain wrong and
> if the end user didn’t actively choose that filtration, the target site may
> be victimized without anyone knowing where to go to complain.


Not much different from IP Geolocation. Probably not the right solution to
many things, but people do it anyways., often causing problems that people
don't know where to go to complain.


On Fri, Oct 27, 2023 at 10:14 PM Owen DeLong via NANOG 
wrote:

> >> DNS isn’t the right place to attack this, IMHO.
> >
> > Why not (apart from a purity argument), and where should it happen
> instead? As others pointed out, network operators have a vested interest in
> protecting their customers from becoming victims to malware.
>
>
> Takedowns of the hostile target sites.
>
> You dismiss the purity argument, but IMHO, there’s merit to the purity
> argument.
>
> Any such DNS filtration, if provided, should be provided on an opt-in
> basis, not as a default.
>
> I’ve seen plenty of situations where the filters were just plain wrong and
> if the end user didn’t actively choose that filtration, the target site may
> be victimized without anyone knowing where to go to complain.
>
> Owen
>
>

Re: Charter DNS servers returning malware filtered IP addresses

[John Levine]

It appears that   said:
>* Owen DeLong [Sat 28 Oct 2023, 01:00 CEST]:
>>If it’s such a reasonable default, why don’t any of the public 
>>resolvers (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
>
>It's generally a service that's offered for money. Quad9 definitely 
>offer it: https://www.quad9.net/service/threat-blocking

Not really for money.  Quad9, Cloudflare, and OpenDNS provide filtered DNS for 
free.

There are expensive versions for enterprise networks but there's
plenty of malware filtering DNS for users.

I'm with you about the purity argument. While it certainly would be
possible to use DNS filtering for political reasons (the "family
friendly" versions arguably do that), the amount of malware and phish
is a large and real threat.

By the way, don't miss Interisle's new report on the cybercrime
supply chain.  They (we, actually) found five millions domains
used in crime of at least a million were registered only to do crime.

https://interisle.net/CybercrimeSupplyChain2023.html

R's,
John

Re: [EXTERNAL] DNS filtering in practice, Re: Charter DNS servers returning malware filtered IP addresses

[John Levine]

It appears that Michael Thomas  said:
>> If you're one of the small minority of retail users that knows enough
>> about the technology to pick your own resolver, go ahead.  But it's
>> a reasonable default to keep malware out of Grandma's iPad.
>
>How does this line up with DoH? Aren't they using hardwired resolver 
>addresses? I would hope they are not doing anything heroic.

Generally, no.  I believe that Chrome probes whatever resolver is configured
into the system and uses that if it does DoH or DoT.

At one point Firefox was going to send everything to their favorite
DoH resolver but they got a great deal of pushback from people who
pointed out that they had policies on their networks and they'd have
to ban Firefox.  Firefox responded with a lame hack
where you can tell your cache to respond to some name and if so
Firefox will use your resolver.

R's,
John

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[John R. Levine]

If it’s such a reasonable default, why don’t any of the public resolvers (e.g. 
1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?


Oh my, you walked right into that one.

https://www.quad9.net/service/threat-blocking/

https://blog.cloudflare.com/introducing-1-1-1-1-for-families/

I'm also surprised nobody seems familiar with Vixie's Response Policy 
Zones, a widely supported way to put DNS filtering rules into your own DNS 
cache.


https://www.first.org/resources/papers/aa-dec2021/Protective-DNS-a-Boris-Slides.pdf


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[Delong.com via NANOG]

> On Oct 28, 2023, at 10:28, Jay R. Ashworth  wrote:
> 
> - Original Message -
>> From: "Owen DeLong via NANOG" 
> 
>>> For a network feeding a data center, sure. For a network like
>>> Charter's which is feeding unsophisticated nontechnical users, they
>>> need all the messing they can get.
>>> 
>>> If you're one of the small minority of retail users that knows enough
>>> about the technology to pick your own resolver, go ahead.  But it's
>>> a reasonable default to keep malware out of Grandma's iPad.
>>> 
>>> R's,
>>> John
>> 
>> If it’s such a reasonable default, why don’t any of the public resolvers 
>> (e.g.
>> 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
> 
> It's a reasonable default behavior *for default resolver servers for consumer
> eyeball networks*.
> 
> I knew that was what John meant, and I can't see any reason why you wouldn't 
> know it too, Owen; this isn't your first rodeo, either.

I knew that’s what he meant and I know what you mean. I still don’t agree.

Owen

Re: [EXTERNAL] Re: Charter DNS servers returning malware filtered IP addresses

[Glenn McGurrin via NANOG]

I'd agree and disagree, filtering the default isp provided dns server 
for consumer and possibly small business, reasonable, not without some 
issues, but reasonable.  Comcast style filter servers and intercept all 
dns headed to other dns servers and redirect them to your own servers 
and make it difficult to disable, unreasonable, if people deliberately 
choose to use different dns do NOT override that choice at an isp level 
(corporate/business firewalls are a bit of a different story), offering 
security filtered dns as a default isp provided server is a value add 
for many non technical users, filtering beyond security or making it 
difficult to use other dns servers is a detriment to users.


my view on small business's with static addresses are a little more 
complex, they are more likely to be doing things the filtering might 
break, but many of those things also are best done while running your 
own recursive resolver, so it may not actually matter that much, but 
definitely don't do a forced dns server via redirection of all dns 
queries for such users, honestly don't ever do that as an ISP without 
specific direct opt in, not opt in by not fighting with sales to remove 
a line from an order, or other "opt-in" that isn't actually customer 
initiated informed opt-in, I'm looking at you Comcast.


On 10/27/2023 5:20 PM, John Levine wrote:

It appears that Bryan Fields  said:

-=-=-=-=-=-
-=-=-=-=-=-
On 10/27/23 7:49 AM, John Levine wrote:

But for obvious good reasons,
the vast majority of their customers don't


I'd argue that as a service provider deliberately messing with DNS is an
obvious bad thing.  They're there to deliver packets.


For a network feeding a data center, sure. For a network like
Charter's which is feeding unsophisticated nontechnical users, they
need all the messing they can get.

If you're one of the small minority of retail users that knows enough
about the technology to pick your own resolver, go ahead.  But it's
a reasonable default to keep malware out of Grandma's iPad.

R's,
John

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[Jay R. Ashworth]

- Original Message -
> From: "Owen DeLong via NANOG" 

>> For a network feeding a data center, sure. For a network like
>> Charter's which is feeding unsophisticated nontechnical users, they
>> need all the messing they can get.
>> 
>> If you're one of the small minority of retail users that knows enough
>> about the technology to pick your own resolver, go ahead.  But it's
>> a reasonable default to keep malware out of Grandma's iPad.
>> 
>> R's,
>> John
> 
> If it’s such a reasonable default, why don’t any of the public resolvers (e.g.
> 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?

It's a reasonable default behavior *for default resolver servers for consumer
eyeball networks*.

I knew that was what John meant, and I can't see any reason why you wouldn't 
know it too, Owen; this isn't your first rodeo, either.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: Charter DNS servers returning malware filtered IP addresses

[Owen DeLong via NANOG]

>> DNS isn’t the right place to attack this, IMHO.
> 
> Why not (apart from a purity argument), and where should it happen instead? 
> As others pointed out, network operators have a vested interest in protecting 
> their customers from becoming victims to malware.


Takedowns of the hostile target sites.

You dismiss the purity argument, but IMHO, there’s merit to the purity argument.

Any such DNS filtration, if provided, should be provided on an opt-in basis, 
not as a default.

I’ve seen plenty of situations where the filters were just plain wrong and if 
the end user didn’t actively choose that filtration, the target site may be 
victimized without anyone knowing where to go to complain.

Owen

Re: Charter DNS servers returning malware filtered IP addresses

[niels=nanog]

* Owen DeLong [Sat 28 Oct 2023, 01:00 CEST]:
If it’s such a reasonable default, why don’t any of the public 
resolvers (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?


It's generally a service that's offered for money. Quad9 definitely 
offer it: https://www.quad9.net/service/threat-blocking




DNS isn’t the right place to attack this, IMHO.


Why not (apart from a purity argument), and where should it happen 
instead? As others pointed out, network operators have a vested 
interest in protecting their customers from becoming victims to 
malware.



-- Niels.

Re: [EXTERNAL] Re: Charter DNS servers returning malware filtered IP addresses

[Eric Kuhnke]

When you have a sufficiently large mass of non-technical end users,
inevitably some percentage of them will end up doing something like
enabling WAN-interface-facing remote admin access,which then gets pwned and
turned into a botnet. It's a real problem at scale. Compromised CPE routers
in addition to people visiting virus/trojan laden webservers and infecting
their endpoint devices.

good example:

https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389



On Fri, Oct 27, 2023 at 3:37 PM John Levine  wrote:

> It appears that Bryan Fields  said:
> >-=-=-=-=-=-
> >-=-=-=-=-=-
> >On 10/27/23 7:49 AM, John Levine wrote:
> >> But for obvious good reasons,
> >> the vast majority of their customers don't
> >
> >I'd argue that as a service provider deliberately messing with DNS is an
> >obvious bad thing.  They're there to deliver packets.
>
> For a network feeding a data center, sure. For a network like
> Charter's which is feeding unsophisticated nontechnical users, they
> need all the messing they can get.
>
> If you're one of the small minority of retail users that knows enough
> about the technology to pick your own resolver, go ahead.  But it's
> a reasonable default to keep malware out of Grandma's iPad.
>
> R's,
> John
>

Re: [EXTERNAL] Re: Charter DNS servers returning malware filtered IP addresses

[Michael Thomas]

On 10/27/23 2:20 PM, John Levine wrote:

It appears that Bryan Fields  said:

-=-=-=-=-=-
-=-=-=-=-=-
On 10/27/23 7:49 AM, John Levine wrote:

But for obvious good reasons,
the vast majority of their customers don't

I'd argue that as a service provider deliberately messing with DNS is an
obvious bad thing.  They're there to deliver packets.

For a network feeding a data center, sure. For a network like
Charter's which is feeding unsophisticated nontechnical users, they
need all the messing they can get.

If you're one of the small minority of retail users that knows enough
about the technology to pick your own resolver, go ahead.  But it's
a reasonable default to keep malware out of Grandma's iPad.


How does this line up with DoH? Aren't they using hardwired resolver 
addresses? I would hope they are not doing anything heroic.


Mike

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[Owen DeLong via NANOG]

> On Oct 27, 2023, at 14:20, John Levine  wrote:
> 
> It appears that Bryan Fields  said:
>> -=-=-=-=-=-
>> -=-=-=-=-=-
>> On 10/27/23 7:49 AM, John Levine wrote:
>>> But for obvious good reasons,
>>> the vast majority of their customers don't
>> 
>> I'd argue that as a service provider deliberately messing with DNS is an 
>> obvious bad thing.  They're there to deliver packets.
> 
> For a network feeding a data center, sure. For a network like
> Charter's which is feeding unsophisticated nontechnical users, they
> need all the messing they can get.
> 
> If you're one of the small minority of retail users that knows enough
> about the technology to pick your own resolver, go ahead.  But it's
> a reasonable default to keep malware out of Grandma's iPad.
> 
> R's,
> John

If it’s such a reasonable default, why don’t any of the public resolvers (e.g. 
1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?

DNS isn’t the right place to attack this, IMHO.

Owen

Re: [EXTERNAL] Re: Charter DNS servers returning malware filtered IP addresses

[John Levine]

It appears that Bryan Fields  said:
>-=-=-=-=-=-
>-=-=-=-=-=-
>On 10/27/23 7:49 AM, John Levine wrote:
>> But for obvious good reasons,
>> the vast majority of their customers don't
>
>I'd argue that as a service provider deliberately messing with DNS is an 
>obvious bad thing.  They're there to deliver packets.

For a network feeding a data center, sure. For a network like
Charter's which is feeding unsophisticated nontechnical users, they
need all the messing they can get.

If you're one of the small minority of retail users that knows enough
about the technology to pick your own resolver, go ahead.  But it's
a reasonable default to keep malware out of Grandma's iPad.

R's,
John

Re: [EXTERNAL] Re: Charter DNS servers returning malware filtered IP addresses

[Bryan Fields]

On 10/27/23 7:49 AM, John Levine wrote:

But for obvious good reasons,
the vast majority of their customers don't


I'd argue that as a service provider deliberately messing with DNS is an 
obvious bad thing.  They're there to deliver packets.

--
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net



OpenPGP_signature
Description: OpenPGP digital signature

Re: [EXTERNAL] Re: Charter DNS servers returning malware filtered IP addresses

[John Levine]

According to Bryan Fields :
>On 10/25/23 4:58 PM, Compton, Rich A wrote:
>> Charter uses threat intel from Akamai to block certain "malicious" domains.
>
>Does charter do this on signed domains too?

Of course.

If you want to run your own DNSSEC resolver and bypass their malware
protection, you are welcome to do so. But for obvious good reasons,
the vast majority of their customers don't.

R's,
John