IETF Logo Mail Archive

Re: [DNSOP] Review of draft-livingood-dns-redirect-00

Tony Finch <dot@dotat.at> Wed, 15 July 2009 18:46 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AA16028C0F7 for <dnsop@core3.amsl.com>; Wed, 15 Jul 2009 11:46:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.393
X-Spam-Level:
X-Spam-Status: No, score=-6.393 tagged_above=-999 required=5 tests=[AWL=0.206, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PkwfcBDbcB7S for <dnsop@core3.amsl.com>; Wed, 15 Jul 2009 11:46:27 -0700 (PDT)
Received: from ppsw-5.csi.cam.ac.uk (ppsw-5.csi.cam.ac.uk [131.111.8.135]) by core3.amsl.com (Postfix) with ESMTP id 9B1633A6A08 for <dnsop@ietf.org>; Wed, 15 Jul 2009 11:46:27 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:34429) by ppsw-5.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.155]:25) with esmtpa (EXTERNAL:fanf2) id 1MR9Uf-0002RW-IM (Exim 4.70) (return-path <fanf2@hermes.cam.ac.uk>); Wed, 15 Jul 2009 19:46:17 +0100
Received: from fanf2 (helo=localhost) by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1MR9Uf-0000M7-Lj (Exim 4.67) (return-path <fanf2@hermes.cam.ac.uk>); Wed, 15 Jul 2009 19:46:17 +0100
Date: Wed, 15 Jul 2009 19:46:17 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk
To: Andrew Sullivan <ajs@shinkuro.com>
In-Reply-To: <20090715162946.GO6313@shinkuro.com>
Message-ID: <alpine.LSU.2.00.0907151936250.30197@hermes-2.csi.cam.ac.uk>
References: <C67B83C4.E855%Jason_Livingood@cable.comcast.com> <20090713202948.GE3018@shinkuro.com> <20090714212642.GD822@sources.org> <20090715162946.GO6313@shinkuro.com>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Review of draft-livingood-dns-redirect-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2009 18:46:28 -0000

On Wed, 15 Jul 2009, Andrew Sullivan wrote:
>
> Just because I know how to avoid going to phishing and malware sites
> does not mean it is within the competence of the average user.

A better way for ISPs to address that problem is to run an intercepting
web proxy that traps connections to infested web servers. The proxy can
then intercept HTTP requests to malware-carrying URLs. (The UK's IWF
blacklist is often implemented this way.) The intercept can be made
specific to particular ports so it doesn't affect non-web protocols. It is
consistent with what RFC 4084 calls "firewalled internet connectivity".

Even better would be for users to upgrade to a browser that implements its
own safe browsing checks, and which has a decent user interface when DNS
lookups fail. It's probably cheaper for ISPs to provide a local download
site for a supported web browser than to implement a lying DNS resolver.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
MODERATE OR GOOD.

v2.23.0 | Report a Bug | By Email