Buying or Selling IPv4 Addresses?
Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.
Avenue4 LLCRead Message
Promoted Post
Most new domain names are malicious.
I am stunned by the simplicity and truth of that observation. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to reserve or create a new name in just seconds, and to create millions of them per day. Domains are cheap, domains are plentiful, and as a result most of them are dreck or worse.
Society's bottom feeders have always found ways to use public infrastructure to their own advantage, and the Internet has done what it always does which is to accelerate such misuse and enable it to scale in ways no one could have imagined just a few years ago. Just as organized crime has always required access to the world's money supply and banking system, so it is that organized e-crime now requires access to the Internet's resource allocation systems. They are using our own tools against us, while we're all competing to see which one of us can make our tools most useful.
My thinking when I created the first RBL (now called a DNSBL; mine was the MAPS RBL though and so that's how I still think of it) back in the mid/late 1990's, was that universal access between e-mail servers was a greater boon to the bad guys than to the good guys, and so I worked to create a way that cooperating good guys could make their mailers less accessible. While I didn't reach my objective of stopping spam, I did help establish the "my network, my rules" theory of limited cooperation for Internet resources. Simply put, it's up to every network owner to decide who they will or won't cooperate with, and the way to get your traffic accepted by others is to be polite and to spend some effort trying to avoid annoying folks or letting your customers annoy folks.
Here, in 2010, I've finally concluded that we have to do the same in DNS. I am just not comfortable having my own resources used against me simply because I have no way to differentiate my service levels based on my estimate of the reputation of a domain or a domain registrant. So, we at ISC have devised a technology called Response Policy Zones (DNS RPZ) that allows cooperating good guys to provide and consume reputation information about domain names. The subscribing agent in this case is a recursive DNS server, whereas in the original RBL it was an e-mail (SMTP) server. But, the basic idea is otherwise the same. If your recursive DNS server has a policy rule which forbids certain domain names from being resolvable, then they will not resolve. And, it's possible to either create and maintain these rules locally, or, import them from a reputation provider.
ISC is not in the business of identifying good domains or bad domains. We will not be publishing any reputation data. But, we do publish technical information about protocols and formats, and we do publish source code. So our role in DNS RPZ will be to define "the spec" whereby cooperating producers and consumers can exchange reputation data, and to publish a version of BIND that can subscribe to such reputation data feeds. This means we will create a market for DNS reputation but we will not participate directly in that market.
The first public announcement of DNS RPZ was at Black Hat on 29-July-2010 and then at Def Con on 30-July-2010.
The current draft of "the spec" is . No backward-incompatible changes are expected, and both reputation providers and recursive DNS vendors are encouraged to consider developing products that use this format to express DNS reputations.
The current patches for BIND9 are shown below. We expect this functionality to be part BIND9 9.7.3 which is several months off. Customers of ISC's BIND support should contact ISC before applying these patches or any other patches to their production systems.
Comments and questions can be sent . I'd especially like to hear from content providers who want to be listed by ISC as having reputation content available in this format, and also recursive DNS vendors whose platforms can subscribe to reputation feeds in this format. An online registry will follow.
We're about to enter a bold new world where the good guys do not automatically grant the use of their DNS resources to bad guys. I don't like the need for this but I'm finally pulling my head out of the sand. So, let's party.
If you are pressed for time ...
... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.
I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.
Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet
Share your comments
I'm glad to see you've come to the same conclusion I have — that people should have control over their DNS experience.& I've built OpenDNS on this core belief and the fact that 1% of the world's Internet traffic is today routed through our servers is an indication of widespread support.& Pending some further analysis, OpenDNS will probably be a supporter of ingesting these feeds for our customers.&
As an aside, there will never be a market for RPZ data, just as there was never a market for MAPS data.& Value added companies like Postini and Barracuda emerged instead, providing what the market really wanted, which is a solution — not a technology.
you're sure? five years later, i see this:
https://dnsrpz.info/
and it looks like there are sellers, and also buyers.
https://www.farsightsecurity.com/Overview/NOD/
Five years later, a very small data intelligence market has emerged.
A sign of what's to come? I don't think so.
A sign of early adopters seeing a good technology and buying it with fattened cyber security budgets? I think so.
But if I still take a long-term view here, do I think this will continue or become a larger market? No.
>buying it with fattened cyber security budgets? I think so.
That is worth repeating.
It is also worth noting a coupl of other issues. Through the New TLD program ICANN has finalized its control off the root monopoly. Splitting the root is now exponentially harder and not likely to ever happen. The fact that we now face ICANN becoming an supranational organization like the UN will only motivate more money to censor and control the masses.
I remain pesimestic, I still expect government to eventually publish RPZ files and demand, in some political way, they be implemented by internet service providers. The TPP may well be the start. In fact Drudge recently stated he has been told its near the end for him, that "the votes" are now available to shut him down making his sort text "copyright infringement". To me RPZ has grown and sits in a perfect place to be used to implment global censorship such that "nobody is in control" of it so everyone involved escape responsiblity for the act.
This is far from over ......
Real world example of how to expect RPZ to be used:
http://www.wired.com/2012/11/russia-surveillance/
"The new system is modeled on the one that is used to block extremist and terrorist bank accounts. The Roskomnadzor (the Agency for the Supervision of Information Technology, Communications and Mass Media) gathers not only court decisions to outlaw sites or pages, but also data submitted by three government agencies: the Interior Ministry, the Federal Antidrug Agency and the Federal Service for the Supervision of Consumer Rights and Public Welfare. The Agency is in charge of compiling and updating the Register, and also of instructing the host providers to remove the URLs. If no action by the provider follows, the internet service providers (ISPs) should block access to the site in 24 hours. The host providers must also ensure they are not in breach of current law by checking their content against the database of outlawed sites and URLs published in a special password-protected online version of the Register open only to webhosters and ISPs."
True, in the above mentioned article it is suggested that Deep Packet Inspection is used to implement the filtering. It would be "interesting" to obtain the current domain list and then query various Russian DNS servers to see if they return the expected responses ... In other words see if RPZ is currently part of their tool set.
Additionally:
"Our elections, especially the presidential election and the situation in the preceding period, revealed the potential of the blogosphere.” Smirnov stated that it was essential to develop ways of reacting adequately to the use of such technologies and confessed openly that “this has not yet happened.”
The solution appears to have been found in the summer, when the State Duma approved the amendments, effectively raising the internet-filtering system to a nationwide level, thanks to DPI technologies.
Maybe because government officials had, for so many years, claimed that Russia could not adopt the Chinese and Central Asian approach to internet censorship, the solution took the national media, the expert community and the opposition completely by surprise."
The above years old article comes from researching this current article:
http://www.telegraph.co.uk/news/worldnews/europe/russia//Russia-tried-to-cut-off-World-Wide-Web.html
This is an interesting proposal, but I was disappointed to see "speculators" tarred with the same brush as "scammers, spammers, [and] e-criminals." Registering a descriptive domain name, putting advertisements on a parked page, and hoping to make money on ad revenue or a domain sale isn't a malicious use of the DNS.
Blocking Spammers and purported criminals by subverting user intent is a road to hell - not necessarily paved with good intentions. Navigation gamesmanship destroys the value of domain names, ICANN, all registries and the DNS because it destroys the reason for owning names: Traffic and hope for future traffic.
Those who would consider such concepts have not thought through the ramifications of their wishes, or what would happen if everyone did the same as they did. Placing power in the hands of hollow platforms, which simply wheedle or game their way to the top of the navigation hierarchy removes uniformity from the global browsing experience, denegrates the utility of the Web and adds credence to those advocating the splitting of the root.
As an individual with Internet access,
I have only encountered David Ulevitch owned OpenDNS pages when I try to type the domain names of my colleagues (to confirm who owns them) and then unwillingly been redirect to OpenDNS parked pages which have been inserted in lieu of the parked page provider I was actually looking for. It's a “classic” damming of the river upstream where the hotel or ISP I am viewing a website through, has contracted with OpenDNS to subvert the browsing experience, because it is economically expedient and seemingly consequence free to do so. No better than Gator's virtual Wallet back in 2001. One advertisement subverted for another where that advertising revenue is shared with the ISP and OpenDNS or another subvertor.
The end-game of such gamesmanship at the DNS level should be plain for anyone with a shred of intelligence to see.& The land title office claiming, why don’t we just insert “our” name on the vacant property address…
Advertising replaced by other advertising held out to be the correction of an error.& An undesirable form of commentary held out as a crime. It is the final slippery slope will destroy the usefulness of the DNS and the internet you want for your children.
As the owner of many thousands of meaningful domain names which people request via browser type-in, I may not be loved by the DNS community for displaying advertising on my sites. I and those like me are frequently vilified by those who did not economically participate in the great domain boom and latecomers are constantly trying to rewrite the “errors” that allowed speculators to profit on domain names. The important thing to note is that the sites in question “belong” to the name owner. It’s THEIR site. They bought their way to the table when they bought the domain name which people request. I own many bad names which get no traffic and no company which steals my traffic helps me pay the renewal/ICANN fees on those. I reserve the right as the owner of the destination people seek, to display the content I chose - and I live with the legal, economic and ethical consequences of my decision when I stand as the registrant of the name.
Inserting yourself arbitrarily between a consumer who requests a site and the owner of that site because you woke up one morning and felt like you were helping the navigator (or hurting a site owner you arbitrarily labeled as malicious) makes you the bad guy. It is not your decision to make.& You are killing with kindness. When you re-characterize the human behavior of requesting a particular site as an “error” because it is economically useful for you, it makes you the criminal.
If nanny state concepts like these take hold it ultimately strengthens Google, Facebook, Twitter and other platforms.& It weakens all domain names, all new tlds, positive disruptive DNS related technology, registrar businesses, ICANN and global CC TLD registries.&
The very system we enjoy today, the profits at registries and cash flow-stream which fuels all ICANN matters, root Servers, working groups, constituencies, legal-fees comes from the registrants of domain names (big and small).& For that registration base to thrive we need freedom of Navigation, we need to reinforce that navigation will be authoritative and experiences will be uniform.&
Parasitic intermediaries, which would inject themselves are the undoing of the root.
When I look at the look at the last 20 years of the Web - the Microsoft, G it is Google who has done more 'evil' than Microsoft. It would have been easy for them to do so, but Microsoft has not stopped or shaped users navigating to domain names through it’s browser.& It is Google who has, via its toolbar, browser and exclusive search-index. The true evil is re-characterizing your evil as good. Google could not have become what it has without the kindness of Microsoft and had Microsoft played dirty, Google would have never been what it is.
Correction and blocking concepts such as these, rhyme with such evil. Calling yourself a good guy by subverting human intent is just evil.
I have long felt that the greatest threat to the Domain Name Industry, domain names, registries and ICANN are those who would renegotiate the browsing standards. I have learned that freedom on the Internet is provided by freedom of navigation.&
Cheering half-baked concepts such as these to a tipping point where everybody is subverting any experience they don’t like will make the modern Internet which gave us the luxury of sitting on our high-horse to criticize it, look like a twisted upside-down Planet of The Apes.& Only Less talking monkeys and more big-corporation, Big-brother structure.
Paul was talking about malicious domains, not parked websites.& And he wasn't equating the quality of new domains, in that first sentence, just the source of new domain names.
It's easy to get off on a tangent here and get excited about parked domains and OpenDNS' implementation(s), but that's not the driving reason for ISC's work here.& They're looking to provide a hook into BIND so that responding behavior can be controlled based on feeds.& There will be a variety of feeds likely created — one for sites that are hosting malware, another for sites that host various vices, another for new domains registered with eNom, etc.
The desire to insert hooks and control levers into BIND really raises an eyebrow. The beginning of the end, never looks obvious at the time. You have to think about what continued precedents such as these amount to, and what happens to the broader Web if everyone operating a root-server gets creative with this. Your children's Internet will not be as free as the one which brought you and I prosperity.
The person who is going to rely on the names decides who they choose to advise them on which are malicious and which are not.
Having ICANN do this for everyone would be very bad. Everyone choosing a filtering service of their choice is a totally different issue. People may not want Vixie to be doing this for them either, maybe they choose another company.
Google already filters out malware sites from its search service. As the person who cleans up the computers in the house, I don't want the kids connecting to those sites in the first place. A filtering service may not stop 100% of the compromises, but if it reduces the number of infections from 5/year to one it means I spend 1/5th the amount of time on cleanup.
Few people know that they can change their DNS, even fewer know how.
For years some ISPs have been capturing all port 53 queries and force them into their DNS server. Those customers have no choice even if they do know how to change their DNS settings.
This “feature” is now in BIND with 85% market share of DNS server software globally.
www.isc.org/community/blog/201005/dnsbind-canards-redux
Is it reasonable to believe this feature will eventually be disabled by default? I think not.
I don't see how this decreases choice.& An ISP could provide two flavors of DNS, one that's filtered, one that's not.&
Most consumers don't care — they just want to surf the Internet.& If an ISP can keep their customers malware-free then it's good for both parties.& If an ISP already captures all port 53 traffic then the subscriber is already "stuck".& But they can choose another ISP.
“One man's trash is another man's treasure.”
It is simply not reasonable to assume this system will err on the side of fewer dezonings, versus be overly broad in removing sites from the internet. Those that are involved effectively get a proxy vote from those not involved. You assume the few represent the masses, they do not.
The person visiting the site was not the one that voted
As far as what ISPs could do, that has no realtionship to what they will do. It also has no relationship to what is legally possible when someone else makes the choice “at arms length”.
The concept of Network Neutrality is simple: all packets treated the same. Freedom and choice are lost the we allow 3rd parties we have no association with to step in and decide which packets we can and can’t see.
There is no particular reason that DNS has to be run over port 53.
One (legitimate) reason that some ISPs intercept DNS queries is that it is a way to stop DDoS attacks slamming the root or .com or whatever.
I have Comcast, and I only use the Google DNS on my machines.
There is no particular reason that DNS has to be run over port 53.
Uhm, if I want to serve my customers I had better have my DNS server listening on port 53.
Or are you saying that if someone wanted to work around it, they could? If so, I follow what you're saying.
I am struck by this implication. Google, perhaps the largest monopoly that ever came into being besides Ma Bell (and Ma never told us who we could and couldn't dial), is your preferred choice for Open DNS over Comcast? Okay, I understand that Comcast wanted to meter your speeds at one point and still does, but what do you think Google wants? Open-ness?
No, I say Google laid out the plan already, and this whole change to bind is just feeding into it.
1) Call for Open-DNS
2) Change DNS to self
Yes, I was pointing to the fact that people can work round port 53 blocking.
The difference between Ma Bell and Google is accountability. Google has huge market share but so did Yahoo before Google came along. The only way that Google can keep that share is if they are constantly worried that they might loose it.
Google understands that fact, Facebook does not.
Which people will work around port 53? The 99.9999% that have no clue what we are talking about?& A DNS fingerprint is more than obvious, port agnostic filtering will result.
None of this has anything to do with techs.
In the extreme this has to do with the likes of say a single working mom trying to transition to the information economy and doing so. A person with a lot to say and a lot of people wanting to listen ... And an empowered few able to shut her up forever.
We the people that understand the technology need to protect those that do not understand and are never likely to be able to protect themselves. And some day each one of us is going to need that help, with proposals like that I fear that time might be sooner than I’d ever thought possible!
this post starts with a bold assertion:
"Most new domain names are malicious."
and the whole remainder of the post, and launch of this idea, is based on that statement. is it true?
this is quite inconsistent with our view of the data. we have a reasonable, and certainly statistically significant set of data. I am very interested in whether i) other registrars have a fundamentally different registration experience than we do, or ii) the statement is hyperbole.
I would love a deeper dive into the data, whether here or offline.
and @frank bulk, the author brought frank s in with this comment:
"Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and SPECULATORS (emphasis added)."
again, I wonder if that was a turn of a phrase or a thought out statement. if thought out, then there are real problems with this approach.
"I am stunned by the simplicity and truth of that observation."
I am stunned by the lack of supporting data.
DNS cannot serve every purpose for everyone.
The ICANN DNS is based on the principle of making access as easy and as cheap as possible. There are no checks made when someone registers a domain name today and it is implausible to expect that they can be established in the future.
There are many benefits to open-ness. But there are also disadvantages. The fact that someone wants to talk to me does not mean that I want to listen or that I have an obligation to try. It is entirely reasonable for individuals to choose to move to a smaller Internet of their own choice.
What is not reasonable is to expect (or for that matter allow) ICANN to do that job.
Internet crime is a consequence of an accountability-free approach to Internet architecture. Nobody sent spam when the consequence of doing so was being kicked off the computer system that was necessary for access. Spam only appeared when accountability-free Internet access started to emerge.
You don't need the same degree of accountability for every purpose however. If I am browsing a Web site I probably don't need a very high degree of accountability, unless that Web site wants to use javascript which is code that is going to run on my computer in which case the degree of accountability is a little higher, if they want me to buy something from them or run their software, the degree of accountability required becomes much higher, I want criminal sanctions in case of default.
And we are going to need even more accountability still if we are ever going to get to the 'deep e-commerce' that we all thought was round the corner in 2000, but kind of died with the dotcom bust and 9/11 and everything.
Paul's suggestion is a positive one in my view. But I think to make it really work we have to be willing to adjust the DNS specs to suit. Using TSIG is OK, but I would like to have a more practical set up scheme than shared keys.
In the original Internet architecture, IP and packets were primary and the DNS was an afterthought. The architecture that has evolved makes DNS primary and the packets are just a means to an end. The DNS is the one part of the architecture that we can expect to be around in 200 years time. The packet layer will almost certainly be different, the DNS protocol itself will probably have been replaced a couple of times. But the DNS system will have survived.
At the moment the Internet has two identity infrastructures, DNS and PKI. The DNS is open registration, the PKI has tiered access. Domain Validated certificates can be obtained with minimal validation, but EV certificates require a demonstration of accountability. What we really need is a single system and the way to do that is to work out how we can leverage both existing infrastructures to build the infrastructure we need.
[Removed as per CircleID Codes of Conduct]
What a brilliant idea, create a procedure that eventually leads to established registries charging for DNS entries (Domain Names) with no guarantee they will be published.
Paul is not writing about the publishing of DNS entries, just that certain (non-authoritative) DNS servers may not query or provide a different response for certain hosts in the RPZ.&
This is not so different than e-mail.& Just because someone sets up an e-mail server doesn't mean I need to accept e-mail from them.& My customers thank me all the time that I block 90% plus of spam.& They will do the same if I prevent them from inadvertently going to malicious sites or break the ability of a bot on their PC to retrieve instructions.
That is where the will lead, deeper and deeper down the DNS "stack".
And if most all the largest ISPs dezone, for all intents and purposes the domain is not published. That will eventually be the excuse to move the ban to the registry entry. And what reasoable person will conclude ISPs will not "share" data?
As for email we choose our spam filters. We have no choice regarding the zone record "votes" others will make for our domains and those of our customers. The two are not comparable.
This "electronic democracy" is two wolves and a sheep deciding what is for dinner.
Sure, if a domain is being used to control a botnet then most selective DNS providers are going to block it. That is what they are being asked to do by their subscribers. Is that meant to be a 'bad thing' somehow?
What I don't think very likely is that this is going to allow China or Iran or the Moral Majority or any other group to extend their control over the Internet any more than has happened already.
A legal chain is formed in your example. You blocked "my" site, and "I'm" not likely to entertain a transparent review of what "I" did to cause you to implement that filter. "I" will not win and you'll likely come after "me" for damages.
DNS RPZ has ZERO accountability.
THOSE ADDING RECORDS TO THE TABLE ARE NOT ACCOUNTABLE TO THOSE AFFECTED BY THOSE ENTRIES.
THOSE AFFECTED BY THE ENTRIES HAVE NO VOTE.
And the danger of being that pointed is having those most creative wrap logical fallacies around the basic spec to make it appear those issues can and will be addressed. They can't.
“Censorship ends in logical completeness when nobody is allowed to read any books except the books that nobody reads.”
- George Bernard Shaw
The same was true of the MAPS spam blacklist at first. Then this became very clear with blacklists falling over themselves to be as unaccountable as possible. Eventually the consequences of having no accountability became clear and sensible ISPs dropped the blacklists causing the trouble.
If I decide that I don't like your Internet traffic, I don't have to accept it. Thats tough for you. You don't get a vote in my decision on which traffic to accept and you never will. Deal with it.
Because at the end of the day, if people want this type of Internet service they are going to get it. Nobody needs to ask your permission or anyone else's to deploy this. Just as nobody needed to ask permission to start filtering their email, they don't have to ask permission to filter their Web.
We have had content filtering services aimed at excluding pornography and certain political content for over a decade. The world has not come to an end. All that is likely to happen here is applying the same idea to excluding a different set of sites where the problem is malware.
You use the word "service" as if to suggest this it is optional.
It's not, and that is the issue as you say here:
>If I decide that I don't like your Internet traffic,
>I don't have to accept it. Thats tough for you. You
>don't get a vote in my decision on which traffic to
>accept and you never will. Deal with it.
Exactly. And that works both ways.
Thus the title of my original post:
DNS RPZ = Empowering Electronic Balkanization
If malware really is the issue you wish to address then rather then carving up navigation demand ICANN end privacy Whois. Simple and to the point.
There already exists the ability to delete a domain for bad whois, but with privacy whois that can’t be done. So lets cut to the heart of the matter and hold the registrant responsible, not some electronic manifestation of them. Further, demand centralization of the COM/NET whois harmonizing them with the other gTLDs. Then, since the registries must store all domain update transactions, require ALL registries to implement a WhoWas function based on those stored records and for a fee say not more that $10 per query. As DomainTools has shown, the profits here would be very large for the registries and they already have the data (except Verisign). Since the registry is the authority the WhoIs and WhoWas provided is authoritative. DomainTools is not authoritative and filled with bad data. Such a Registry level WhoWas service will provide a decent audit trail for such behavior of individuals.
real solution to hold the guilty accountable without creating collateral damage and other liabilities for unrelated people, organizations, and their domains. But no, it’s not particularly sexy nor easy to tamper with.
Better identification won't fully resolve the problem — I wish it was.& There's lots of spammers and bad websites where the owner and ISP won't/can't do anything about it.& And getting ICANN to enforce even the policies it has on the books is not realistic.
RPZ gives the DNS server admin a level of control and responsiveness that they didn't have before.
Agreed, nothing is perfect, to me it's just better to catch fewer than unfairly harm honest folks.
As for enforcement, as I've stated below, Afilias implemented a pretty serious policy on these matters. For some reason people think of ICANN and don't think of talking to the registries. Not to mention the registrars where the TOS will likely give them the ability to do whatever they want.
>RPZ gives the DNS server admin a level of control
>and responsiveness that they didn't have before.
Absolute power currupts ...
Look, I'm all for making such a thankless job easier. Which is why the more pain you can focus squarely on the bad guys the more control you will REALLY have!
I don't plan to wait on ICANN for anything.
There are really good reasons why ICANN cannot and will not do anything to 'fix' whois. It is only actually in charge of some of the DNS for a start. Last I saw, Nominet still does not acknowledge ICANN as having any authority over it whatsoever (they exchanged letters, so what). And I would expect the same to be true of the other European CC TLDs.
There is no way that ICANN can force the EU registries to breach their understanding of EU privacy requirements. Nor is it going to push on the registrars for the same reason.
And even if this was a possibility, the accountability would be that the registrant's WHOIS data would be published. Which might enable a cancellation of the registration eventually if found to be fake but otherwise would have no consequences whatsoever since much of the Internet crime is being committed with government protection from prosecution.
Compare and contrast the non-accountability of that procedure and the months long delays it would entail with the fact that a selective DNS can disable malicious zones in seconds. If a domain is being used for botnet control, fast flux phishing or malware distribution, shut them down until they clean up their act. If a selective DNS provider is being abusive, then make the fact public and people can decide if they want to change.
>There are really good reasons why ICANN cannot
>and will not do anything to 'fix' whois. It is
>only actually in charge of some of the DNS for a start.
That’s not how our contracts read.
Nor the ICANN emails when someone complains about a whois record.
Nor the ICANN required whois data escrow deposits.
>And I would expect the same to be true of the other European CC TLDs.
Yes, I'm aware that ICANN failed to get as many ccTLDs to sign redeligation contracts as it wanted. So the issue of ccTLDs is more difficult.
One registry showing a profit from a WhoWas service strikes me as creating more of a ripple then you might think. As you say (next) that does not necessarily give you the legal teeth to do anything, but nobody is hiding (similar to your selective DNS provider misuse comment).
I also see lots of problems far beyond the ones specified that would be solved with an end to privacy whois.
>but otherwise would have no consequences whatsoever since
>much of the Internet crime is being committed with
>government protection from prosecution.
Understood
>Compare and contrast the non-accountability of that
>procedure and the months long delays it would entail
>with the fact that a selective DNS can disable
>malicious zones in seconds.
What I read about registries rarely seems to reconcile with my personal experiences. Registries take their "brand" pretty seriously and never seem happy about misuse of their domains (broad statement since I don't know them all). In fact if memory serves Afilias for example has stated fast flux is forbidden without first obtaining permission.
Yes, it only takes one bad registry in the root to cause a mess.
Circling back to the government issues, it still seems that we're back to the domain being given more value than the registrant places on it. It will be replaced very quickly (domain fast flux if you will). And the issue of false selective DNS triggers remains. I foresee some real wars in this regard.
Losing email is one thing (queuing) but lost sales etc of a down website is incomprehensible to me. You'll have IT teams running around with no clue why their customers have no access. You have registrants calling hosting companies getting billed for the calls and the hosting companies scratching their heads while the meter runs. The business owner will be totally powerless and losing money. The smaller they are the more devastating this will be. And it’s worth the reminder that they might have had their server taken over. This will easily destroy small businesses if affected.
Large business are not going to have a great time either, but they will likely isolate the problem quickly and sterilize the problem just as quickly.
Abuse and exploits are admittedly my biggest fear. Some kind of spoof attack to sucker the system into deleting a specifically targeted zones for example.
As for email we choose our spam filters. We have no choice regarding the zone record "votes" others will make for our domains and those of our customers. The two are not comparabl
Some subscribers may operate their own locally-run spam filters, but most have their e-mail filtered by there ISP or freemail provider.& So most really don't choose their own spam filter.&
The analogy in DNS is not that the customer is not able to control who can "vote" on their zone record, it's that most subscribers can't control how their ISP responds to their DNS requests.&
The point I'm trying to make is that the zone record holder is equivalent to the operator of an e-mail server.& Just like the e-mail operator can't enforce that everyone receives the e-mail they send, zone record holders won't be able to enforce that everyone gets their zone records.& In the matter of e-mail subscribers have said they're OK with not receiving spam, and in the matter of DNS, I'm sure subscribers will say they don't want to get served zone records for those related to malware, etc.
>So most really don't choose their own spam filter.
For personal users I generally agree.
For business this would not be the case at all. Email hosting and spam filtering would both be selected, perhaps from the same provider perhaps not.
>The point I'm trying to make is that the zone record holder
>is equivalent to the operator of an e-mail server.
No argument from me, except the usefulness of that relationship and the problems that assumption causes.
Every time a registry tries to pump it’s reg count, or a registrar does, with some discounting program who regs most of the domains? Spammers, malware, etc, all the folks stated as the targets (speculators are generally excluded here). Look at the first Afilias .INFO promotion, the problem was so bad there was a massive industry wide “filter bias” on the .INFO TLD itself, in spam filters and the search engines! In general Afilias did enjoy some stickiness of regs but the total damage from spammers and malware was huge. In fact Afilias implemented a rather heavy handed policy regarding it’s ability to delete such domains in the future ... We’ve seen this enough times for the details to be clear.
Simply put, the “bad guys” do not give a damn about a unique domain name.
So while your juiced up servers go to war tracking these people down they will query your servers (or have a parallel setup to monitor your ban lists), see they were detected, and move on to the next domain name and free hosting account ALL BEING DONE BY AUTOMATION. They keep making money and you keep wasting time money and effort chasing after them. But there are lots of pretty flashing lights in the mean time, a never ending game of Whack-A-Mole. But you feel like your are doing something as DNS RPZ helps you chase them.
The bad guys place no value in their domain names, none. That is why the DNS/Email relationship is meaningless for the intended application.&
For those poor people that have their servers hijacked, you’ll get them, and how do they have themselves removed from the ban list after you’ve shut down their business?
Your point about .info matches my (little) understanding of the events that transpired.&
It's true that the "bad guys" will likely cycle through more domains more quickly, but I see DNS RPZ as one tool in the toolchest, and I don't think anyone is suggesting it's a silver bullet.
"Poor" people who have their server hijacked will need to do a better job of securing it.& Just like an e-mail server that winds up on a DNSBL because someone is relaying e-mail through it, they'll need to best to remove the malicious content and request a delisting.
I'm not following what you're saying.& AFAIK, Google does not use BIND for their own DNS services.
But Google does use their own DNS for putting ads on pages that don't resolve (the eventual end of all things Google). Is this what in the end all unplusgood DNS RPZs will resolve to? More ads more spam and more ISPs earning from non-resolution?
That is precisely the problem.& We are creating an incentive for sites NOT to resolve.
And never be able to know why, who did it.
Google's DNS does not return a page with ad when pages don't resolve. Their DNS was a response, in part, to Comcast trying to turn such ad pages into an RFC.
Moreover, I'd be happy to have a DNS service that didn't resolve spammers, malicious pages and even content-less pages from speculators and domainers.
The latter add nothing of value to the internet community, even if they do create value for the speculators. Instead, they fill the net with useless pages and create an artificial scarcity in domain names. Having a DNS service that helps drive the economic incentive out of parked pages sounds great to me — so long as it's a service I get to choose, a la OpenDNS.
Google's DNS does not return a page with ad when pages don't resolve
Not yet. What do you think they want one day? Peace joy and love? Or money?
so long as it's a service I get to choose
RPZ DNS offers no choices
Google's likely to decide that simply faster DNS, getting people to more pages faster, is more in their interest than crappy ads on pages that don't resolve. Luckily for the greater internet community, this puts their interests and Google's in line.
If and when, Google starts to follow the low-grade economic model of domainers and ISPs like Comcast, I'll find another DNS provider.
And the same with RPZ DNS, I can choose whether to use it or not.
All I'm hearing here is a bunch of whining from domainers that their bottom-feeder economic model is in peril from a DNS that actually serves people and which would be totally voluntary.
Parked pages are parasites that found an ecological niche thanks to a very open internet policy. Finding a way to squeeze them out without restricting anyone's ability to buy a domain name sounds ideal to me.
And the same with RPZ DNS, I can choose whether to use it or not.
Actually, you can't. Did you like when you could only choose Microsoft Internet Explorer 4 or Microsoft Internet Explorer 5?
All I'm hearing here is a bunch of whining from domainers that their bottom-feeder economic
I suspected you were flamebait, but thanks for proving it. You may now go forth and propagate with others of your ilk.
And thanks for proving that when you are called out for FUD — that Google DNS shows ad — that you'll avoid the substantive questions.
I susptected you were just another bottom-feeding domainer who refuses to acknowledge there's a damn good reason for DNS services for people who have no use for parked domains and artificial domain name shortage. Thanks for proving it. You may continue to go forth and propagate the net with your crappy pages — whining about the idea of creatively using DNS to make the net better, instead of actually building something people want.
I'm curious what will replace the parked page that will make your experience better/faster/safer ?
"I’ve no doubt you’ll make the main stream media your friend"
- Charles Christopher
The use of Google's DNS is optional.& If Google used RPZ for their own financial advantage through ad-filled pages, Google DNS users could choose another DNS server.
The advertisers placing advertisements on those parking pages might have a different opinion as you just deleted a large amount of advertising space. Some of it likely being their most profitable insertions. Google would not care as their auction system will price the available inventory upwards for the scarcity you just created for them created.
ISPs would also love you for getting rid of the “speculators” as that frees up more domains for them to offer up via wildcarding. The more typeins you can force into a deleted state the better. In other words the “uselessness” of speculators parking pages gets transferred and monetized to the ISP, and likely they will eventually register those domains since they are uniquely positioned with DNS logs that can be mined for keywords. If such pages are so useless one should ponder why so many people obtain such profits from those DNS entries (AKA domain name), if they exist, and even if they do not. But of course we’re not likely to hear much debate about ISP wildcarding, that’s ok. And it’s also ok for Browsers to intercept the dezoned domains so the browser author can monetize the error traffic you just created.
So much uselessness, and so much effort to be part of it. Wonder, wonder, wonder ....
As for “selfish speculators”, yeah, I ignorantly thought that to once upon a time. Then I watched as registry after registry uses them as their UNPAID MARKETING FORCE for their domains and thus directly driving interest in New TLDs as they deploy. One need only look in the main stream media for the countless opportunities that registries have promoted a high dollar sale of one of their domains in order to pump interest. And often times an evil speculators gave the registry that opportunity to promote itself. The domain arbitrage opportunity very efficiently converts to a motived sales force that has to pay renewals fees each year to cover costs of domain they can’t be monetized.
Through the years registries have happily given up that arbitrage opportunity to speculators to promote their domain space for the registry. Of course after years of watching them do it, registries now reserve domains and auction others both at launch and afterwards, now they know how to duplicate the promotion and get the auction rev themselves. Of course only speculators have the understanding to properly price the domains at the landrush auction and everybody scratches their head over the prices and calls the speculators nuts (speculators seeming incapable of ever doing anything right) ... But registries are never evil for doing this, the speculators are considered stupid for paying so much, then they get criticized for building a business they expect to profit from when someone approaches them for one of their domains.
Everybody wants everything for free and gets mad at others when they demonstrate the gonads to accept risk and successfully turn that risk into profit..
Same old ignorance, different decade. I’m sure we all expected it.
Now lets get back to DNS RPZ, and how it will affect those that will never be able to protect themselves from it.
>This means we will create a market for DNS reputation
That says is all. The goal here is to use BIND to ligitimize this specification and do what they can to fully deploy into ALL DNS SERVERS. There is no other reasonable inference of that quote, none.
As to others following their lead, I'd rather avoid it from the start.
How do you see Network Neutrality interacting with established ISP practices of spam filtering and selective port filtering?
I understand your concern that an ISP who uses the DRZ functionality in BIND would be providing a selective experience of which the subscriber may or may not be aware of, but that doesn't interact well with the fact that ISPs (typically) do their best to provide a good and safe Internet browsing experience for their customers.
If as an ISP operator (I do that in my $DAYJOB) I can prevent most of my customers from visiting most $BAD sites that will infect their PCs for a minimal cost on my part, lowering my helpdesk support costs and reducing customer frustration and cost, how is that bad for either party?
I've neglected to mention that the ISP should be disclosing that their doing DNS filtering.& Customers know we do that with their e-mail and I readily tell them if the ask why port 445 doesn't work across the internet.
>spam filtering and selective port filtering?
That is why I no longer use an ISP email account and fortunately there are plenty of options.
Port filtering, such as my previous ISP intentionally killing my Vonage service, bothers me greatly. Fortunately I had another ISP available and up until recently I've seen zero filtering of any kind by them. Yes this is a huge problem especially when the ISP does it to kill competing services like VOIP and video on demand in order to force the customer back to their paid services.
But that is very different, as I said we have no choice regarding DNS RPZ directly or indirectly.
DNS is the foundation of the internet and DNS RPZ is going to empower unrelated 3rd parties to make decisions for the rest of us, without our vote. Just as with email these lists will be shared. I just received a call from a friend that is email has been banned by a local company. He runs a promotional business, never spams, he only sends emails to a large list of customers that he’s built over many decades. What happens is someone decides to dezone his domain name? It’s bad enough to lose revenues due to his email not meeting some arbitrary metric, but killing his website does nothing but see if his has the time and bank account to try to get the entry returned before he’s bankrupted. That power of DNS RPZ will be more than obvious to those with power and resources as well.
If someone pays you to delete someone else’s site from your network there will be legal recourse if caught, or doing it without a solid legal reason. There will be no practical recourse for DNS RPZ. Taking this to a limit I can see bored smart people no longer hacking websites but getting together to see if they can get ebay or Google into the DNS RPZ tables. If DNS RPZ implements an exception table of any kind then admission of its foundational flaws are made, but not before permanent damage is done likely forever and is impossible to reverse.
Furthermore, when an ISP implements filtering that information gets out into the market place and people can use their money to reward or punish that ISP. Assuming a non filtering ISP is available. To this day the filtering by my former ISP is costing them money, due to my encouraging others never to use them and when they don’t listen and find out I was right I encourage them to tell others. With DNS RPZ there will only be some mysterious consciousness out in the ether, which is totally unaccountable to anybody! This should be obvious to all.
This is the latest in technology seduction, one destined to leave a very bad mark.
Losing email is one thing (queuing) but lost sales etc of a down website is incomprehensible to me. You'll have IT teams running around with no clue why their customers have no access. You have registrants calling hosting companies getting billed for the calls and the hosting companies scratching their heads while the meter runs. The business owner will be totally powerless and losing money. The smaller they are the more devastating this will be. And it’s worth the reminder that they might have had their server taken over. This will easily destroy small businesses if affected.
Large business are not going to have a great time either, but they will likely isolate the problem quickly and sterilize the problem just as quickly.
Abuse and exploits are admittedly my biggest fear. Some kind of spoof attack to sucker the system into deleting a specifically targeted zones for example.
With a DNS RPZ the website wouldn't be down, it would just be inaccessible by those using a DNS server with using a RPZ feed that marks that site as undesirable.& Not unlike outgoing e-mail servers which sometimes (accidentally) get on a blacklist, that may happen with a zone.& No doubt that there's risk with implementing an RPZ, but the painful reality of botnets and malware have brought us (well, at least hte ISC) to this point.
>down / inaccessible
I think that's unfair hair splitting.
To the world that can't access the server, the website is "down". To the small business that knows little about IT, the website is "down".
Made worse by the fact that all the internal known administrative points have NOTHING to do with why the site is "down" or "inaccessible". This is a debug nightmare.
Look, nobody should be creating or centralizing (functionally or procedurally) an "Internet Off Switch".
If you build an internet off switch to go to war with the attackers the attackers do what?
The attackers attack the switch.
It's what they do, it's their nature. We can all easily intuit how this is going to play out.
Is ISC willing to go on record and say that is impossible?
The attackers attack the switch.
The history of DNSBLs suggests that this is true, but in the opposite sense to what you mean. You mean to suggest that the attackers will try to use the "off switch" to cause widespread denial of service. DNSBLs like Spamhaus have come under attack with some frequency and severity over the years, but the intention was to disrupt the filter so as to facilitate spam. This has been true whether the attack was network-based or law-based. It's relatively easy (in theory) t relatively hard to impersonate it or subvert it so as to effect a broader DoS attack on the email service generally.
I lack detailed knowledge of this new mechanism at the moment, but my initial expectation is that future attacks on it (if any) are likely to be analogous to these past attacks on DNSBLs.
There's not "internet off switch" and this new DNS RPZ functionality is not that.& There's lots of DNS server vendors and they're not implemented uniformly.& And there's likely to be several DNS RPZ feeds.
You're concerns are overstated.
Yes there is. The controller of the DNS server with 85% market (the purpose of this thread) share said this in the above:
>This means we will create a market for DNS reputation [...]
Last I knew, most called 85% a "monopoly".
85% seems high, and I'm not sure how ISC counts it.
But even if that's the case, the ability to use DNS RPZ does not mean that everyone will implement it, and people are free to use other DNS servers like PowerDNS, Nomnium, etc.
If a Web site is valuable, then perhaps there is an onus on the Web site provider to help distinguish their legitimate content from malicious copies.
That is precisely the problem we set out to address with Extended Validation certificates. An EV cert provides a quantifiable indication of accountability and accountability is a pretty good predictor for trustworthiness.
There is a well defined procedure and a competitive market for EV cert provision.
Of course an EV cert is not going to guarantee that people want your content. But they have the right to refuse to deal with you. Just as many banks have now ceased to provide any banking services to Nigeria as a result of the number of scams coming from that country and the complicity of the government in the scams.
Of course the filtering services must also be accountable. I really did not like Vixie's refusal to be accountable for his MAPS activities. But the market sorted itself out fairly quickly. Nobody uses raw blacklists as the sole blocking criteria any more. There are feedback loops and blacklists that have false positives have their merit scores rapidly downgraded.
Most small business rely on others for all this and that their server will be secure.
They simply are incapable of handling this issue.
There are more than enough public reports of the largest websites in the world being successfully attacked and manipulated. As I said the large corporations will know what happened, no doubt they will subscribe the DNS RPZ monitoring services that spring up. So with the largest corporations having their server successfully hacked are we assume that small business with no IT staff are more competent? Not likely.
This is going to turn into a mess, and with no legal recourse when it happens. There is no accountability of those building the lists.
No more a mess than e-mail.& And there shouldn't be any legal recourse.& You're forgetting the principle "my network, my rules, your network, your rules".& The ISP operating the recursive DNS server for their customers is electing to use a certain RPZ feed and those who are generating the RPZ feed aren't forcing anyone to use it.
That small business, when they can't visit microsoft.com and ask their ISP for help.& Their ISP will let them know what happened and stop using that RPZ feed or put in safeguards (aka whitelists) for certain domains.& Remember, the ISPs have an incentive to keep their false positives low, otherwise there's no net benefit.
Also, those who generate the RPZ feeds will also mature and have safeguards in place for sites like google.com and microsoft.com.
>And there shouldn't be any legal recourse.
I can't top that statement.
It's not a debug nightmare.& They can contact the website holder of find out what the problem is, they can contact their ISP, they can attempt to manually resolve the DNS record, or they can check the DNS RPZ feeds.& There's probably more things I haven't thought of.
More likely is they'll move on to the next website, unless that website belongs to a partner/vendor/supplier.
You reverse what I said.
I said the "website holder", a small business with no IT staff, was told their website is down by a customer or peer. No call they make will likely be to anybody involved or empowered. In the mean time their business is shut down, their livelyhood threatened. The posts I keep reading for this case is that website holder is intentionally doing something wrong, the posts also refuse to acknowledge the dependency that website holder has on their service provider and how others might exploit DNS RPZ to attack a competitor.
In each case you folks demand the website holder accept accountablity for your rules (which I don't even see defined, as you'd incur legal consequences if you CLEARLY did), while refusing to believe you should have any when shutting them down. What a deal!
THAT is a debug nightmare since someone totally outside their policies, procedures, and expectations, was empowered to shut down their site to large portions of the internet.
I think that's more than clear.
My apologies if I haven't been clear.& I definitely had the "website holder" in mind when I wrote my response.&
I see what you mean by lack of empowerment — if customer A can't access company B's website, company B likely won't get very far with customer A's ISP.& That said, there are umpteen DNSBLs today and e-mail still flows.& There are occasional false positives, but they get worked out.
Why would customer A's ISP have legal consequences for using a DNS RPZ feed?
If "large portions of the internet" refers to sites hosting malware, then I'm OK with that.&
But I think you're concerned that a sizable percentage of good sites will be inaccessible to a large portion of the Internet, and if that's the case, I think you're overly concerned.
>I think you're overly concerned.
Lets hope you are right, and that I am wrong.
However, from where I'm standing, I see far to many changes taking place that support my concerns.
"Most new domain names are malicious."
No surprise there.& By July 1996, the entire .net TLD was a "sewer".
I can't imagine what it has become since then, but I'm puzzled as to why the stock footage business at footage.net is your poster child for abuse.
Newsgroups: comp.protocols.tcp-ip.domains
From: vi...@vix.com (Paul A Vixie)
Subject: Re: .com versus .net
> I am wondering what is the the real difference between a .com domain and a
> .net domain if you are registering for a commercial organization???
Generally this depends on your mood.& If you happen to feel like being under
the "NET." top level domain, then you definitely ought to indulge yourself.
While once reserved for Network Infrastructure purposes, "NET." has become
quite a sewer.& FOOTAGE.NET is my poster child for this kind of childishness,
but there are quite a few others which have nothing to do with infrastructure:
APPLETON-BUSINESS.NET
HOUSTON-BUSINESS.NET
ALBANY-MARKETPLACE.NET
FAMILY.NET
CATALINA-INTER.NET
AIRPORT.NET
The list goes on.& My ability to peruse it does not.& The point is, there are
no rules, "NET." is the next "COM." and you'd all better get your domains up
and running before somebody else beats you to it.& More, bigger, better, and
faster.& Never mind what it was intended for.& The InterNIC is not allowed to
turn you down, no matter what your "business description" says.& So why not?
(PS., Maybe if we pollute everything to ruin, folks will head to deeper water
and use domain names that make sense but have more dots in them, sooner.& So,
send that "NET." domain application in TODAY!& Don't delay!)
Paul Vixie
La Honda, CA
"Illegitimibus non carborundum."
pacbell!vixie!paul
Absolute power currupts ...
Who's talking absolutely power?& We're just talking about DNS resolution here.& Let's not blow this out of proportion.
Look, I'm all for making such a thankless job easier. Which is why the more pain you can focus squarely on the bad guys the more control you will REALLY have!
That's what the DNS RPZ does, is focus on the bad guys.
>That's what the DNS RPZ does, is focus on the bad guys.
No, it's a tool you use to block those YOU define as bad guys.
Good point, well said.
Most new domain names are malicious.
This is a sweeping statement. However had a reputation based DNS option been available a few years ago when ICANN essentially facilitated Domain Tasting, then it could have solved a lot of the problems long before ICANN ever got around to dealing with the problem. But the current situation is not that Domain Tasting mess. There is still a level of malicious domain name registration but it would be unfair to say that most new domain names registered on a daily basis are malicious.
Many newly registered domains are automatically parked on the registrar's PPC websites before they are used or developed. For some, they will stay that way until they are dropped without being renewed. Others are registered for the purposes of PPC and speculation but this does not mean that they are malicious registrations. Significant percentages of various TLDs are on PPC parking. In some cases, the percentages on PPC parking will come close to or exceed the numbers of actively developed domain names in that TLD.
This proposal has some very interesting possibilities but it may also have some unintended consequences. If it is implemented by ISPs, they will become the gatekeepers for their users. They would, in effect be a multitude of little versions of the "Great Firewall of China". What if they start forcing users to use their DNS too?
The browser plugins would probably be the earliest users of such a blacklist. A whole section of the web could fade out of view in just a few months. The Direct Navigation model could take another serious kicking as a reputation based DNS could replicate the principle of Google's reputation based link algorithm. The unintended consequence is that this could end up taking away the decision about what site to visit from the user and giving it to the ISP or someone else.
Yes, but providing cybersquatters with a minimum 30 days during a UDRP proceeding to "blackhole" a domain name, so that the trademark owner winds up with a domain that won't route, will be interesting to watch.
Did you mean "route" or "resolve"?
I meant "work", but the aggressive iPhone spell check and my thumbs apparently had other ideas.
it is entirely conceivable, given the discussion of reputation of address blocks, and therefor of routing, on nanog, involving paul and others, that a domain may "resolve" yet not "route" by policy. this in addition to a domain not being resolved by policy for some set of resolvers.
and isn't that spell checker a pita?
Can you point me to the URL on the NANOG archive?& I don't recall that thread.
Speculation is how you bring future prices into the present.& Speculation is good.& More speculation is better.& Bad speculation isn't a problem because the speculator runs out of money.& Unfortunately, there is subtantial overlap between the field of trademarks and domain names, and the rules differ between them.& Trademarks have had hundreds
domain names hundreds of months.
For example, you can't get a trademark on a product you aren't selling, yet you can get a domain name for a product you aren't selling.& For example, you can't sell a competing product under a similar name by trademark law, but that works fine under domain names.& For example, trademarks have fields, but domain names don't.
And unfortunately, a lot of what is called "speculating" is infringement, plain and simple.
I like you points. And it works the other way to. Creating an "off switch" that costs nothing to use (no accountability) makes it all to easy to use, in cases it should not.
The renewal fees make the "speculator" accountable. And what makes DNS RPZ accountable? The direct quote above said it all:
>And there shouldn't be any legal recourse.
Speculation is how you bring future prices into the present.& Speculation is good.& More speculation is better.& Bad speculation isn't a problem because the speculator runs out of money.
Hmmm.... The US financial industry comes to mind here as a counter example. Perhaps the financial industry's ability to bride members of Congress (err, make PAC contributions) destroys the theory.
The ability of members of Congress to manipulate the financial industry destroys the theory by removing the precondition that customers, not politicians, make the rules.& Once you let politicians frick with things, they can and will be corrupted by the frickees.& The only solution is separation of state and markets.& That includes, of course, DNS services.
It's been fascinating reading through the posts that Paul's announcement here has created.& There is a lot of passion coming throughout the threads from many posters debating the desirability of the mere "existence" of a mechanism like an RPZ.& Problem is, RPZ's of some form have been with us for years and that debate is long over.& SURBL, Spamhaus, OpenDNS, my own company, and many, many others have been providing domain reputation services that can be used at the DNS resolver level (if desired) for years now.& A large number of enterprises (an