As a former malware researcher: no, this is not an ideal solution. Yes, we don't have anything better (well, there is the Google Safe Browsing list which most of the major browsers use). And, yes, it is a widely used method and it's effective.
Attila
On Tue, Apr 23, 2024 at 9:34 AM Daniel Stirnimann via swinog - swinog at lists.swinog.ch swinog_at_lists_swinog_ch_tpveugmui@simplelogin.co wrote:
Yes, I understand the technical issues. And yes it's ugly. But do you
have a better solution?
Swisscom should stop tampering with DNS, as it does not work, and is no
solution to the problem.
I disagree, Swisscom still misses a lot of phishing and malware websites. I would like them to be way more aggressive. Their support staff has to deal with calls from infected customers. They might as well try as good a possible to prevent it from happening in the first place. If you belong to the <0.1% of people who want unfiltered DNS, just run your recursive resolver.
Part of the problem is that the user doesn’t get an error message at
all, and then mails us „hey, your website is down“.
Eventually, web browser will show better responses for none resolvable domain names e.g. by utilizing Extended DNS Errors (RFC 8914).
EDE has code points for filtered or blocked DNS responses. Until web browser care more about DNS, I advice to be as verbose as possible when you block something.
For example, make the DNS output more verbose so that at least administrators realize why a domain name is blocked. Swisscom could have used a CNAME in the answer section to blocked.swisscom.com and they could also add an additional section with a SOA indicating the origin of the blocking. The RNAME field could be their report false positive email address and so on.
Daniel
swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-leave@lists.swinog.ch