Taking Back the DNS
Most new domain names are malicious.
I am stunned by the simplicity and truth of that observation. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to reserve or create a new name in just seconds, and to create millions of them per day. Domains are cheap, domains are plentiful, and as a result most of them are dreck or worse.
Society's bottom feeders have always found ways to use public infrastructure to their own advantage, and the Internet has done what it always does which is to accelerate such misuse and enable it to scale in ways no one could have imagined just a few years ago. Just as organized crime has always required access to the world's money supply and banking system, so it is that organized e-crime now requires access to the Internet's resource allocation systems. They are using our own tools against us, while we're all competing to see which one of us can make our tools most useful.
My thinking when I created the first RBL (now called a DNSBL; mine was the MAPS RBL though and so that's how I still think of it) back in the mid/late 1990's, was that universal access between e-mail servers was a greater boon to the bad guys than to the good guys, and so I worked to create a way that cooperating good guys could make their mailers less accessible. While I didn't reach my objective of stopping spam, I did help establish the "my network, my rules" theory of limited cooperation for Internet resources. Simply put, it's up to every network owner to decide who they will or won't cooperate with, and the way to get your traffic accepted by others is to be polite and to spend some effort trying to avoid annoying folks or letting your customers annoy folks.
Here, in 2010, I've finally concluded that we have to do the same in DNS. I am just not comfortable having my own resources used against me simply because I have no way to differentiate my service levels based on my estimate of the reputation of a domain or a domain registrant. So, we at ISC have devised a technology called Response Policy Zones (DNS RPZ) that allows cooperating good guys to provide and consume reputation information about domain names. The subscribing agent in this case is a recursive DNS server, whereas in the original RBL it was an e-mail (SMTP) server. But, the basic idea is otherwise the same. If your recursive DNS server has a policy rule which forbids certain domain names from being resolvable, then they will not resolve. And, it's possible to either create and maintain these rules locally, or, import them from a reputation provider.
ISC is not in the business of identifying good domains or bad domains. We will not be publishing any reputation data. But, we do publish technical information about protocols and formats, and we do publish source code. So our role in DNS RPZ will be to define "the spec" whereby cooperating producers and consumers can exchange reputation data, and to publish a version of BIND that can subscribe to such reputation data feeds. This means we will create a market for DNS reputation but we will not participate directly in that market.
The first public announcement of DNS RPZ was at Black Hat on 29-July-2010 and then at Def Con on 30-July-2010.
The current draft of "the spec" is here. No backward-incompatible changes are expected, and both reputation providers and recursive DNS vendors are encouraged to consider developing products that use this format to express DNS reputations.
Late news: RPZ (Format 2, with RDATA rules) is part of BIND 9.8.0 as of Beta 1, and so no special patches are needed when testing RPZ.
Comments and questions can be sent here. I'd especially like to hear from content providers who want to be listed by ISC as having reputation content available in this format, and also recursive DNS vendors whose platforms can subscribe to reputation feeds in this format. An online registry will follow.
We're about to enter a bold new world where the good guys do not automatically grant the use of their DNS resources to bad guys. I don't like the need for this but I'm finally pulling my head out of the sand. So, let's party.
See CircleID Post.
Comments
This is bad stuff. It forces admin (management) oppinion on users. Even worse than current filtering proxies since it at the networks core.
Admins have always had the ability to force their opinion on the users. This is no change from spam blocking in that regard.
Design a name service that can't be abused by the scummy elements of humanity, then we can talk about the issues of management forcing opinions on users.
Sorry, reality is biting us in the backside and it's totally reasonable to find a real-life solution.
This is already being done in many enterprises. It's being done in an ad-hoc way by slamming in zones to local resolvers on-the-fly, etc. It's nice to have a scalable specification and reference implementation to make this stuff work well. Thanks.
John Kristoff and I had been thinking about trying to set up a "DLV-for-bad-guys" type thing, and this seems to do something much better.
I don't get the point of creating such a domain reputation system. As long as registering a new domain only costs nearly nothing and nobody cares to identify who gets a delegation for a new domain, the reputation system is totally useless. "Oh my god ! my domain has an awful reputation ! Shit ! I gonna need to spend 10 more bucks !".
Phishing and spamming campaign won't be affected, although they are the very problem.
The real problem is located just under your nose : the registrars who are too sloppy to control who gets a delegation for SLD and stop "bad guys" from obtaining new ones after they have done their first mischief.
But go ahead, create another useless technology to heal the syndrome and not the disease.
*sigh*
Florian,
The problem isn't reputation of domain names (or fqdn) it's the use/abuse of a fqdn in the malware infection vector. If you can, as an enterprise, quickly and easily (just an axfr away) insert 'malwaredownload.place.com IN A 127.0.0.1' into your recursive resolvers this should help prevent some/many/all of your enterprise users from downloading the malware in question.
It won't help everything, it may not keep all your users from being infected, but it certainly is simpler than the current rash of solutions like: "Load 18k zones into your recursive resolver, woot!"
$ grep zone /etc/bind/spywaredomains.zones | wc -l
18989
(for a real-life instance of this).
The ability to use your recursive resolvers, efficiently, in the security policy enforcement process is powerful, as Michael points out, it's being done today in adhoc manners, this could make it simpler/easier/faster.
Good idea, is anyone trying to bring Microsoft on board?
the problem will once again be to select who you trust.
With the DNS-SMTP-Blacklists it was only a matter of identifying which domain has sent out SPAM at some point in time. To determine even that proved to be difficult, and some domains have been held hostage by DNSRBL admins. Of course, this has to be said, a large amount of spam could be avoided using this approach. I'm just not comfortable with the thought that somebody else should implement "my" policy (or that of my employer).
Now with the "generic DNS blacklists" this problem becomes even more serious: not only will email messages fail to be delivered, but also websites won't be resolved any more. That, given on the very diverse perception of a website's content in various parts of the world (what is porn, what is politically not correct, ....) will lead to many different lists with different blacklist policies. The problem will thus just be shifted from "implementing local polices" to "finding a reasonable DNS blacklist provider".
Even worse, it may at some point in time be advisable for an organisation to take part in one of these efforts and blacklist certain domains, they may otherwise be liable to legal action against them.
Internet neutrality is definitely something else.
Comrade Paul,
me like you very much. Long live USSR.
and lay off writing anything but code..."Most new domain names are malicious." with absolutely no evidence presented.
I know you have spent what probably feels like half a lifetime working on DNSSEC. Thanks. It is appreciated.
Now that the transport of DNS is going to become secure, I guess it was almost inevitable that the bad guys were going to start moving their attention to something else i.e. generating bad content.
I think it's almost inevitable that we are going to see a splintering of DNS content and the Internet in general, although I hope not.
There'll continue to be rapid registration as per today, but the noise to signal ratio will increase just like it did with usenet and then with email and then .....
I think there'll also be a move towards (new) highly controlled top level domains. This is going in the direction that a company will have to prove legal name ownership, and also provide a government registration document such as the local chamber of commerce document, and something signed by a notary public, before being granted a DNS registration.
There'll also be a CACERT or another well-meant web of trust type initiative attempt to take off....
In short, the problem remains the same: there are a minority of people who are intent on breaking the law and abuse the Internet, and they are difficult to separate from the mass of well-meaning but anonymous users .
One real way to stop this is to make it commercially nonviable by introducing central clearing houses for messages like national telephone companies, together with usage charges, and make abuse a criminal offence to boot. But that will probably also just kill everything good about the Internet.
On a more upbeat note: DNSSEC root provides a pretty neat root anchor for security mechanisms.
Now that the root is finally signed, shouldn't there be a standard mechanism to either distribute directly, or at least provide a link to, a public key certificate for a domain so that people can sign their email with a private key? Sort of like the reverse of an MX record i.e. Mail from rather than mail to. (Signed mail can correctly increase their whitelist score ,or provide privacy like PGP, or whatever other existing mechanism) This has potential to get rid of a lot of this nonsense of attempting to block by RBL or IP address or poorly thought out SPF TXT record.
I mean the Internet is meant to provide any to any connectivity, and mobile use is only increasing. I see no reason why my phone shouldn't be able to send a message to your phone directly if we trust each other.
I agree with Florian's comment above... the ease and speed of creation is just too high, and it will be very hard to keep up with the list of malicious domains in anything approaching a useful fashion.
HOWEVER.... keeping track of "abused" authoritative nameservers? That's a whole different story. THOSE there is a finite number of. And, better, when large-abused-sites (like, say, domaindirect's DNS-parking-resolvers) start getting listed for their customers' behavior (causing, unfortunately, some collateral damage) it will incentivize the registrars to come up with a solution other than "keep cashing the checks".
Splendid idea. Before the DNSBL revolution, I could reliably communicate with anyone worldwide via e-mail and know with 99% certainty that my message would go through. Today however, e-mail is a minefield of poorly-tuned, message-vaporizing spam detectors and of broken blocklist implementations rejecting megabytes of legitimate correspondence. So much so that many no longer bother with e-mail as a primary means of reliable communication. And all because of idealistic schemes that didn't take into account the immutable real-world human factors that always thwart them: laziness, incompetence, disorganization, corruption, politics, and poor communication in and among those responsible for their implementation and administration (i.e., human beings).
Now you evidently want to do this to the grand daddy of them all - the domain name system - while somehow expecting it to work differently this time. Have you ever heard that the road to hell is paved with good intentions? While writing this blog post, "while I didn't reach my objective of stopping spam" should have been the point where you yourself stopped, followed by sinking into a 1,000 mile stare. Is it just me, or do you also look forward to your connectivity to any given web site becoming as much a guessing game as your ability to, say, e-mail somebody at a non-mainstream e-mail provider in a non-english-speaking country ... and vice versa? Sigh.
It will not be spammers or phishers who ultimately destroy the internet as we know it today. It will be attempts to stop them at the infrastructure level. Spammers and phishers have only one goal: communicating advertising messages and malicious code to gullible users. Your problem is, they do not care which channels they communicate those things through. By rendering one avenue difficult or useless, you merely scoot them along to the next. Hence, your ultimate goal of squashing the "bad guys" will literally never happen (you won't even dent their hulls!) until you have broken absolutely every last form of communication and connectivity on the internet itself. That is what the "good guys" cannot seem to comprehend. That to make the internet useless for bad people, it must also be made useless for good people. You could literally firewall the entire damned thing to where the internet passed only ICMP echo requests, and do you know what would happen then? Spammers would resort to hawking viagra via ping packets fired in morse code, hoping to reach ham radio operators looking in the general vicinities of their DSL modems' RX LEDs. (I'm *not* kidding.)
Parasitical elements know no low. Stopping an infinitely underhanded adversary technologically can only be accomplished with infinite technological repression. When the "good guys" finally get this (and hopefully realize they don't want an infinitely repressive internet), perhaps more realistic solutions than turning the internet into a police state will prevail. Seriously, what will the good guys propose as the next brilliant solution when DNS RPZ completely fails to dent any of these problems? Government licenses to use the internet, and to run web sites? And what will the good guys propose when the licenses fail? Criminalizing personal computers, and requiring that everyone replace them with dumb terminals feeding off of a regimented cloud of strictly controlled online services? And when that fails? Perhaps forcing everyone to go online from public cafes patrolled by police? Like teachers strolling the isles of school computer labs checking for students goofing off on 4chan? Where does it end?
Phishing and spam are not technological problems. They are social problems for which the internet merely serves as an amplifier. Phishing is really just purse snatching. Spam is really just infomercials littering the airwaves. As long as people carry wallets (have online bank accounts), they will be robbed. As long as there are cretinous idiots who watch infomercials (who buy garbage from spammers), there will be spam. And neither of these problems will be solved or even dented by locking down the amplifier. Because as said, as long as the amplifier remains capable of amplifying anything at all, it will continue to amplify the purse snatchings and the infomercials along with everything else.
Want to reduce phishing to inconsequential levels for real? Treat it as the social problem that it really is: bank robbery on a tremendous scale. Anybody convicted of phishing their way into 20,000 bank accounts (or of running a botnet facilitating the robbery of those 20,000 bank accounts) should be treated as if he robbed 20,000 actual banks (or drive 20,000 actual getaway cars). Which is to say: put them in prison until they die there of old age. Yes, really. And want to reduce spamming to inconsequential levels? Treat it for the social problem that IT really is: mass disruption of the public airwaves. Fine the spammer tens of millions of dollars, as the FCC would a pirate who trashed every television frequency with RF interference everywhere simultaneously.
Proportionately port the amplification effect of the internet itself over to the prosecution of the crimes amplified by it. And of course, actually carry out those prosecutions. Have you ever heard of a real bank being robbed, and the FBI or secret service simply not bothering to show up? Have you ever heard of anybody blasting the radio and television broadcast spectrum with interference until reception of legitimate services became hopeless, with the FCC reacting by simply saying "oh well?" Of course not. I guarantee you that if spam and phishing were investigated just as actively, and prosecuted "to scale," both would fall through the floor in short order. And yes, international cooperation on this approach would be required. But as the battle against child pornography has demonstrated, there are no borders to law enforcement cooperation on the internet. This is simply a matter of motivating the politicians to get off their tax-fattened asses and push the appropriate punitive and enforcement legislation through. Perhaps a better endeavor for your sort to invest its energy into than helping design more technical specifications for locking down our internet that will ultimately do nothing but inconvenience and muzzle us. >:(
Reputation management must continue to expand from low level elements such as mail servers and domain names to eventually apply to all content.
Some day, content reputation might eventually eliminate the need for the lower level filters, but for now every effort towards reputation management is a good step.
My vision for content reputation involves an architecture for generating, deriving, and registering attributes to each piece of content. There would be many independent "attribute databases," which would be dynamic and extensive.
A collection of endorsements would apply to each attribute for a given piece of content, and the entire "rating" would be reduced to a reference vector based on "trusted" attribute database providers.
To get carried away, I'll add that an aggregate piece of content could contain many components, each having their own attribution, and by the aggregate overall attribution would include a recursive derivation of the subordinate pieces.
As private IP networks and public IP networks are becoming the same MPLS infrastructure across the planet, and as security requirements for private ip are becoming the same as for the public ip, and as cloud computing blurs so many boundaries, and as governments and enterprises vie for influence in the run-away globalization freight train, and as issues like privacy and copy rights are ferociously battled, I see changes on the horizon. Think about the changes from horse and buggy to the US auto industry in the 1950's. Think about the changes from rotary dial phones to current smart phones. A lot of change in a relatively short period of time.
I see all content including email messages, personal web pages, blog postings, advertising, entertainment media, encyclopedic reference content -- virtually all information that might traverse the network -- being submitted to an information provider from where the intended recipients can retrieve the information. Recipients of information control their own mining filters, and they can personalize a combination of filter definitions from filter providers, and providers of information can earn passage through target filters by having strong credibility in their content attributes that meet their intended audiences' common notion of "acceptability." Lack of visibility in a publishers credibility base would poison the content for most filters, and the presence of visibility would disincentize harmful acts. The correct architecture would ensure that reputation is very difficult to falsify, false reputation is virtually impossible to sustain, and good reputation is very critical to having one's content reach the intended audience.
Even if my vision is way off, I see a need for some greenfield work and some new architectures -- not just some new tools and tweaks.
Just expressing my opinion -- but what do I know? Just check my reputation ;-)
Your startup point is a great bit hilarious. That is the same to say: "Any little child that are growing from now are bad". It is very interesting point of view. Spam and malware-websites are poor admin capability and ISP conivence. When one user sign a Internet access service, he accepts and allows conditions of "ethical use of Internet", with a several rules to be followed. But, when one ISP breaks those same rules nobody is able to disallow the routes for the real malware administration. Nor DNS neither SMTP are updated for current days. They are designed for a "good humans and good health environment", what are outdated today. DNS should be under a intermediate transport protocol between TCP and UDP, with some TCP features that are implemented over UDP. Some access rules MUST BE rewrite and the LANNIC and cooperators, could be able to turn off that domain: "Pushing the turn off button", action that they are not authorized, but should have. Under my infinitesimal importance and insignificant point of view, none new tool will solve the problem.
Hoorah for censorship that will only ever cause issues for legitimate users. Keep up the good work and please don't blacklist my domains out of spite.
Some prominent vendors (Network Solutions) are to blame:
They will cut off some your domain names (*.de for example) from your actual Web server without telling you -and they redirect it to their adware platform which sells space for your competitors.
That's wrong for three reasons:
- that's illegal (a breach of trust: you pay to be stolen);
- some of the ads are just vulnerability exploits;
- your domain name is then blamed for the damage.
NetSol does this on a stealth manner and when you notice it takes weeks (and legal actions) to get back all your domains because they oppose the migration by all possible (unfair) ways like recurringly asking documents that they already have.
The fun in this story: they also are involved in the "reputation" business so they can at the same time steal your customers, hack them, and put the blame on you.
All this story is backed by tens of emails (just if one needs to prove the case).
No wonder why you have a problem Houston.
I like how all these people post their criticism anonymously.
As an IT professional that has dealt with DNS problems and spam issues I can tell you unequivocally that reputation filtering is not only good but necessary.
Senderbase is the death knell of spam, the only reason spam continues to thrive is because more people do not make use of it.
Something like senderbase for DNS would effectively end the malicious registering of bogus/malware infested sites.
Any cognizant person with experience in this field will attest to this, so for all of you wanna-be-experts out there listen up!
Just because you can fix a few computer problems DOES NOT MAKE YOU AN EXPERT ON ALL COMPUTING ... ESPECIALLY DNS!
Dude, that is the most eloquent, well thought out, comprehensible and thoroughly logical argument I have read in a very long time. Thank you! It was a pleasure to read.
I don't see how this can possibly work fast enough.
I think this problem needs to be attacked on the creation side.
I'm thinking of something like a identification certificate (portable at all registrars) that goes with your request.
So if I'm the DNS guy at example.com and we're launching our new "frobozz 2011" product then I can use example.com's cert for my request for "buyfrobozz2011.com".
Now the reputation of example.com can be used to prime the reputation of the new domain (and if example.com's rep is too low, no new domains for them).
This could apply up the certificate chain, as example.com's rep goes up/down this affects the rep of their cert issuer (thus legitimate businesses and individuals would seek out issuers who will provide them with a good initial rep and issuers would use care in validating new customers to preserve their rep).
Now the problem is reduced to issuers validating "Example Inc" for their initial acquisition of example.com (something akin to the EV SSL perhaps).