tech-net: Re: DNS Blacklist feature

Subject: Re: DNS Blacklist feature
To: None <darcy@NetBSD.org>
From: Darren Reed <darrenr@netbsd.org>
List: tech-net
Date: 11/06/2007 08:41:36
D'Arcy J.M. Cain wrote:
> On Tue, 6 Nov 2007 11:39:08 +0100
> Martin Husemann <martin@duskware.de> wrote:
> > On Mon, Nov 05, 2007 at 05:10:46PM -0500, D'Arcy J.M. Cain wrote:
> > > Let's say that I have a DSL modem that picks up my ISP's nameserver
> > > automatically and I use the modem's DNS server on my NetBSD box behind
> > > the modem.
> > 
> > Probably stupid question:
>
> Certainly not stupid.
>
> > isn't it a lot easier to just not use that modems DNS cache at all and
> > run your own cahing dns on the machine where you'd  put the /etc/hosts
> > lines in (in your example)?
>
> For you and I, probably.  Is that level of expertise our requirement
> for using NetBSD?  I would like to think that our system is usable by
> people whose expertise lies elsewhere.  I know that it is a small fence
> but it is a fence nonetheless.
>   

The level of expertise required here is anything but simple.

To even have a chance at making something like this usable by 
non-experts would require:
- hard coding in domain name to the DHCP client that it knows will fail,
  such as www.verizon-bites-my-ass.netbsd.org (*we* have to have
  ultimate control over the name);
- do a query for said name when dhcp-client receives an answer with
  DNS servers, sending a query to each server;
- verify that NXDOMAIN is returned by each server or;
- have a list of alternative DNS servers hard coded in somewhere to use 
instead.


While we can possibly come up with code to do 1-3, doing 4...how?
How do we choose suitable DNS servers for everyone in the event
that their ISP does this?
Even then there are implied privacy issues with always querying for a
.netbsd.org name (think about it.)  Why not use a totally bogus domain
name as the target like www.no-such.domain.exists?  That is believably
false and maybe Verizon could be smart about what they do if lots
of people started to use something that was obviously not a real DNS
name as a canary.

But realisticly, this isn't a problem for NetBSD to solve.
One might also ask the question of why it must be a different
experience for NetBSD users vs others.

The problem is an anti-social ISP and as anyone who's been on the
Internet for long enough knows, you cannot solve social problems
by using technology - you can only push them around.

Darren