[RPZ] "DNS Firewalls In Action - RPZ vs. Spam" (circleid)

April Lorenzen data at serverauthority.net
Sat Jan 5 04:08:41 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 1/4/13 1:57 PM, Paul Vixie wrote:
> ...
> 
> John Hascall wrote:
>> So, what we need is an RPZ provider who lists all newly created domains for a few days...
> 
> being newly created, or being newly seen for the first time, are not good rubrics for evil. all evil has to do beat this system
> is register a domain 72 hours (or 72 days, or whatever) and reference it a few times before its first malcious use.
> furthermore, many good and decent domain names are created only hours or minutes before their first never-malicious use.


I agree that miscreants can age their domains (tho they usually do so differently than legit users do). I think it would also be
preferable that there be no default time period known to be used for reputation weighting, thus no known safe time for the
miscreants to age. Realistically tho people always talk about and recommend or put in place such default values which are
accessible to the public, and the public includes miscreants. (As this list may anyway.)

Still, you restrict the methods available to miscreants when you force them to age instead of use instantly. I expect if the habit
of rejecting domains less than X time old was common with large entities, soon there would be very few hits (True Positives). The
existence of police/FBI reduces bank robberies of the old kind. The existence of a policy to reject domains newer than X would
reduce miscreants using that method which is quite abused at the moment, quite successfully abused.

For those doing statistical analysis of domains it does matter whether the researchers have 72 hrs or even 24 hrs ... vs 0 minutes
to gather data points to predict the reputation of a domain name.

Whois is too slow to be used during most initial transactions when encountering a domain that you may not know anything about.
Thus the reason I finally created IsNu.us after years of suggesting it to others. It's been around over a year in production use
and is definitely useful, and can also be mis-applied.

- - April Lorenzen
https://service.dissectcyber.com/

> paul _______________________________________________ dnsrpz-interest mailing list dnsrpz-interest at lists.isc.org 
> https://lists.isc.org/mailman/listinfo/dnsrpz-interest
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlDnp0YACgkQU60bNfmbotRFugCfQnOQREFp1rWZp01S0UJnos6D
9+8AoKGGs8Vq0o8dM3iS43h8jvFB8/Rd
=xBFr
-----END PGP SIGNATURE-----



More information about the DNSfirewalls mailing list