In Taking Back The DNS I described new technology in ISC BIND as of Version 9.8.0 that allows a recursive server operator to import DNS filtering rules in what ISC hopes will become the standard interchange format for DNS policy information. Later I had to decry the possible use of this technology for mandated content blocking such as might soon be the law of the land in my country. I'm a guest at MAAWG this week in San Francisco and one of the most useful hallway discussions I've been in so far was about the Spamhaus DROP list.
The Spamhaus people do a lot of reputation research and some of us subscribe to their online services in a way that causes us to reject e-mail traffic from network neighborhoods of purportedly low reputation. This is a dangerous way to operate one's network, since any mistake on Spamhaus's part could cause us to reject nonmalicious traffic. As the creator of the first Realtime Blackhole List (RBL) back at MAPS in the mid 1990's I am well acquainted with both the risks and benefits. For my home office those risks and benefits are well aligned. My long term use of the Spamhaus SBL has helped me reject a lot of e-mail spam that would otherwise have landed in my family's inboxes, but as I add more communications tools (not just e-mail any more) I find myself wishing for a reputation tool that is not e-mail specific. The Spamhaus DROP list is such a tool, it's a list of networks that Spamhaus recommends us Do Not Route or Peer (so, D-R-O-P.) However, wiring something like the DROP into my router or firewall is more work than I'm willing to do.
The Shoe Drops
Today I realized that the Response Policy Zone (RPZ) DNS filtering technology in BIND9 (9.8.0) could be used to represent the Spamhaus DROP list. The effect will simply be that various domain names return a fake NXDOMAIN result (this means, "there's no such place") if the address that DNS would otherwise return is listed on the Spamhaus DROP. That would prevent my family from accidentally visiting those locations with a web browser or other communications tool. Freakishly enough it will also prevent my e-mail server from accepting e-mail from those locations since my e-mail server will not accept an e-mail message if it cannot successfully look up all of the domain names in the envelope and header.
So I took a copy of the Spamhaus DROP list, wrote a short Perl script to translate it from "lasso" format into "RPZ" format, and looked for some test data. The ISC Passive DNS system gave me a long list of domain names whose address records fell inside one of the entries I saw in the middle of the Spamhaus DROP, so I looked up each one of these to find one that has not yet been killed by its registrar or abandoned by its registrant — in other words something still living that my RPZ could kill off. Testing… testing… it works! There's no way to do forward or reverse DNS at my house any more for any address listed on the Spamhaus DROP.
Since the Spamhaus DROP is publically and freely available, there's no secrecy around the data I used. Still, it bothers me to name names (and to name addresses) since I have no personal knowledge of any misdeeds by the operator of the domain names or IP addresses involved. So, I'm going to anonymize here. The input data from the Spamhaus DROP file looks like this:
yyy.xxx.212.0/22 ; SBLzzzzz
The output data from my Perl script, in RPZ format now, looks like this:
22.0.212.xxx.yyy.rpz-ip CNAME .
*.212.xxx.yyy.in-addr.arpa CNAME .
*.213.xxx.yyy.in-addr.arpa CNAME .
*.214.xxx.yyy.in-addr.arpa CNAME .
*.215.xxx.yyy.in-addr.arpa CNAME .
I've sent the Perl script to Spamhaus in case they wish to publish it along with their DROP list.
Because of the ease with which criminals can "frequency hop" among many possible IP addresses, I've been rethinking my old position on IP source address based reputation systems. Criminals will always need identifiers for their traffic and content and there's a vibrant market of providers who want to make those identifiers as cheap and plentiful as possible — but more and more I think domain identifiers are going to be where the reputation industry puts most of their research effort. Still, I find it heartening that all of my family's communication tools rely on accurate DNS for every IP address they see — and so by using a domain-based filtering approach I can achieve an IP address based filtering result.
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines
Neustar DDoS Protection
Neustar DNS Services