Ted Lemon wrote:
Well, if that's true, Paul, then I guess DNS filter lists are totally unnecessary and you should stop working on that. Maybe you already have?
see https://dnsrpz.info/ for more details on DNS Firewalls. of course, nominum was selling something like this ten years ago, and others have also developed similar capabilities in-house. this is a published spec so as to allow an unlimited number of subscribing defenders to choose from an unlimited number of publishing suppliers using one "language".
it's possible that others who have not begun to use RDNS as a perimeter defense do not understand why some of us can't allow every app or browser or user to transmit their own dns requests to outside servers. that is, we as network operators want to prevent some lookups from succeeding, in order to keep certain known-malicious activities frozen.
you may be excluding a middle in your analysis of what i've said. if a user or app can't get the DNS service they prefer, they should either use a different network, or shut off and go count mountain butterflies. in no event should they seek a bypass to the network operator's security policy. "their network, their rules."
-- P Vixie _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
