Hello Andre

An interesting take on a mechanism that’s been available for close to 7 years now <http://www.circleid.com/posts/20100728_taking_back_the_dns/>.

Largely I believe you’re on the wrong track with your post — at pretty much every level. Response Policy Zones (RPZ’s aka DNS firewalls) are a powerful tool to allow individuals, organisations or society better to control access to the darker corners of the internet. As per Vixie’s original paper (see above reference), this can circumvent a lot of harm for the average user.

As with any powerful tool, it can be used with ill intent but overall, this is a useful addition to an organisation’s security arsenal. 

You express concerns wrt governments. Governments have a tendency to do what what they want to do irrespective of the tools available to them — after all, compliance with their rules is not their problem, they just need to prosecute those that fail to follow the new rules.

Irrespective of any philosophical objections you’re throwing out here, the resolution to your problem is incredibly simple — run your own recursive resolver. In this day and age an incredibly simple thing to do (which is another, markedly different problem).

Simon


On 2 Jan 2017, at 06:48, ox <andre@ox.co.za> wrote:

Hello,

I wish everyone a prosperous & productive 2017

I wish to cast light on an abuse issue that has the potential to
effect, affect and impact the entire Internet

As among the proponents of this abuse are certain Government
Security Agencies and many other powerful forces, I beg with you to
attempt to understand how the changes being effected right now, also
affects yourself right now and how it will affect you in the future.

My idea with this post is three fold, firstly, to educate, secondly to
open discussion and thirdly to agitate for change.

DNS Abuse
----------------
Sometimes abuse is creeping, like weed in a garden it becomes more
and more and more and does not just happen overnight. In fact, it is
so creeping that we do not really see the weeds as we have become
used to seeing them.

Just because there are so many weeds, it does not change the fact
that they are weeds and, in a well maintained garden, they need to be
eradicated for the well being of all the plants in the garden.

To understand how this is even abuse, and how this will change your
own life and the Internet in the future, you need to also understand
some basic facts. The arguments for, against the standards, the basic
tech concepts, the functional aspects and then understand why this is
actually abuse and not just an evil movement, evil standards or
generally just plain old evil.  

Some important concepts in order to understand the technical logic and
the "explained purpose" and then, importantly, "the real purpose" of the
abusers:

Trillions of domain names can resolve to a single ipv4 ip number
So, you could have ex.example.com and ex1.example.com and
cat.example.com - and have the same for unlimited names from unlimited
TLD to a SINGLE ip number.

All Domain names are intellectual property - yes, even
abc.dsrtif.dsaurthp.example.com

If a DNS server is asked for an IP number for google.com and it
answers 127.0.0.1 to one user and 0.0.0.0 to a different user  (makes
up its own answers)  - This is simply fraud. as google.com is a
trademark.
(replace google.com with apple.com or ibm.com facebook.com or
any.example.com)

The proponents of DNS abuse argue that they are 'protecting' innocent
users by using DNS as a 'firewall' to create 'walled gardens' and to
respond to one ip number for a certain set of users and a different ip
number for different sets of users

Of course, this argument is fatally flawed as per my example above.
Their response is that there is sometimes multi homed ip numbers (100
domains on a single ip number) and that blocking per ip number blocks
innocent domains as well.

In order for you to form your own opinion you need to know that the
majority of DNS servers use the same software and that there are new
standards being introduced to formalize Internet Fraud. This Internet
Fraud empowers African Dictators to easily justify 'walled garden'
countries and is set to revolutionize your own Internet access. It also
empowers, facilitates and allows easy management  to aggressive
ISP's, multi nationals and many nefarious groups and people to manage
their activities. So, not only does the new software 'functionality'
exist, but it is being legitimized and formalized
by https://www.ietf.org/
(whom, ironically, states:The goal of the IETF is to make the Internet
work better.)

In a nutshell, the above illustrates that the DNS software used by
almost all of the Internet is to have functionality that allows DNS
operators to LIE to users, but to lie one lie to some/certain users and
another LIE to different sets of users (depending on whom is doing the
asking)

That is not all...

It also allows the DNS operators to hide  the truth of these lies...

and that is not all...

The https://www.ietf.org/  is set to legitimize this nefarious behavior
under the flag of decency and good Internet operations.

So, it would be perfectly fine and acceptable for everyone to start
doing this, as it will be a 'standard'

What this means for you: The future Internet will not be free and open.

Engineers supporting a non functional and fatally flawed approach to
abuse is an indication of a far more serious problem - you need to
think about that for yourself, and what that means.

Of course, this in itself is abuse. This entire situation is Internet
Abuse and needs to be discussed as abuse.

Andre

--
more technical information:
https://tools.ietf.org/html/draft-vixie-dns-rpz-00