Scott Schmit <i.g...@comcast.net> wrote: > > If the admin's goal is to block access to malicious sites, then they > want to block the traffic, not falsify DNS. If the goal is to warn > users away from bad places, they can publish the list as a filter for > end-system firewalls.
Blocking traffic at a lower level is tricky. Blocking by IP address has a high false-positive problem because of name-based virtual hosting. Blocking by URL requires an intrusive middlebox. And if you deploy that kind of blocking it is harder to give users an opt-out. I agree it would be nice to be able to ship block lists to end-user devices, but there's not much open technology to do that. AV software is supposed to do this kind of thing but it's sufficiently ineffective that security admins want centralized blocking to try to plug the holes. Like most universities, we have a problem with fairly frequent targeted phishing attacks (they re-skin their phishing site to look like our single-sign-on login page) and services like Google Safe Browsing don't catch these attacks fast enough, nor do they provide a way for us to augment their list with our own blocklist. > You make a good point. Sounds like there's no need for the IETF to > publish this as an RFC, since admins can already do this via other > means. What does this make easier that should be made easier? The point of making this a standard is so that multiple suppliers can supply policy zones in a standard format, and DNS software from multiple vendors can consume these policy zones. From my point of view as an admin at a site which doesn't have the resources to maintain our own comprehensive block list, this is a boon. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Thames, Dover, Wight, Portland, Plymouth: Variable 3 or 4 becoming east or northeast 4 or 5. Slight or moderate, becoming moderate or rough in Portland and Plymouth and very rough later in southwest Plymouth. Drizzle, fog patches. Moderate or good, occasionally very poor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
