Good morning, I am currently analysing the DNS resolvers (local and public ones) in terms of protection and performance (in particular their speed). I noticed that, in case of a malicious domain name, some local resolvers send an NXDOMAIN and others a courtesy page address. Do you know if the resolvers (for example TIM, Wind or Fastweb) can return an NXDomain in order to protect their clients? Thanks a lot <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Mail priva di virus. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
On Wed, Apr 20, 2022 at 8:00 AM Antonia Affinito < antoniaaffinito12@gmail.com> wrote:
I noticed that, in case of a malicious domain name, some local resolvers send an NXDOMAIN and others a courtesy page address. Do you know if the resolvers (for example TIM, Wind or Fastweb) can return an NXDomain in order to protect their clients?
From a network engineering perspective, any resolver that responds to an authoritative NXDOMAIN by generating an address for a courtesy page -is-
Howdy, the malicious actor. Doubly so if they lie about the DNSSEC status in the response. Regards, Bill Herrin -- William Herrin bill@herrin.us <https://bill.herrin.us/> https://bill.herrin.us/
On Wed, Apr 20, 2022 at 8:39 AM William Herrin <bill@herrin.us> wrote:
On Wed, Apr 20, 2022 at 8:00 AM Antonia Affinito <antoniaaffinito12@gmail.com> wrote:
I noticed that, in case of a malicious domain name, some local resolvers send an NXDOMAIN and others a courtesy page address. Do you know if the resolvers (for example TIM, Wind or Fastweb) can return an NXDomain in order to protect their clients?
From a network engineering perspective, any resolver that responds to an authoritative NXDOMAIN by generating an address for a courtesy page -is- the malicious actor. Doubly so if they lie about the DNSSEC status in the response.
Nevermind; I misunderstood your question. The domain name exists but the resolver has blocked it. How should the resolver alter its response: NXDOMAIN or the IP address of a courtesy web page explaining the block. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
On Wed, Apr 20, 2022 at 11:00 AM Antonia Affinito < antoniaaffinito12@gmail.com> wrote:
Good morning, I am currently analysing the DNS resolvers (local and public ones) in terms of protection and performance (in particular their speed). I noticed that, in case of a malicious domain name, some local resolvers send an NXDOMAIN and others a courtesy page address. Do you know if the resolvers (for example TIM, Wind or Fastweb) can return an NXDomain in order to protect their clients?
Resolvers are capable of rewriting a response to anything they want. In the case of filtering out known bad networks, you can find examples of both rewriting to a courtesy web page and NXDOMAIN. There is a scheme known as Response Policy Zone[1] that hasn't been standardized (yet?) but is available in some recursive DNS software, such as BIND, which lets you do either. As for which large operators respond in different ways, I'm afraid I can't help you there. I'm not aware of any surveys done of how individual large operators implement their end user protection services. [1]: <https://datatracker.ietf.org/doc/draft-vixie-dns-rpz/>
Ciao Antonia, If you are specifically looking for the Italian market try itnog. Itnog.it This has been discussed a couple of times on our telegram group and more lengthy questions can go on the mailing list. Both English and Italian are accepted. Some providers here in Italy offer protection as a paid service , others include it and all are required to block the agcom,CNCPO etc requests. Brian From: NANOG <nanog-bounces+b.turnbow=twt.it@nanog.org> On Behalf Of Antonia Affinito Sent: Wednesday, April 20, 2022 11:07 AM To: nanog@nanog.org Subject: NXDOMAIN Resolvers Good morning, I am currently analysing the DNS resolvers (local and public ones) in terms of protection and performance (in particular their speed). I noticed that, in case of a malicious domain name, some local resolvers send an NXDOMAIN and others a courtesy page address. Do you know if the resolvers (for example TIM, Wind or Fastweb) can return an NXDomain in order to protect their clients? Thanks a lot [https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Mail priva di virus. www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
There are public and commercial offerings for "DNS based protection". e.g. 9.9.9.9 automatically generates NXDomains for suspected malicious DNS Names even in their free service. They have a page where you can check if you have been blacklisted (see https://www.quad9.net/de/result) On 4/20/22 11:07, Antonia Affinito wrote:
Good morning, I am currently analysing the DNS resolvers (local and public ones) in terms of protection and performance (in particular their speed). I noticed that, in case of a malicious domain name, some local resolvers send an NXDOMAIN and others a courtesy page address. Do you know if the resolvers (for example TIM, Wind or Fastweb) can return an NXDomain in order to protect their clients?
Thanks a lot
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Mail priva di virus. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
participants (5)
-
Antonia Affinito
-
Brian Turnbow
-
Matthew Pounsett
-
Thomas Mieslinger
-
William Herrin