05 November, 2010

Taking Back the DNS

Sometimes you come across a blog entry that really forces you to re-think a situation.  Consider this excerpt from Paul Vixie's blog:

"Most new domain names are malicious.

I am stunned by the simplicity and truth of that observation. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators. The DNS industry has a lot of highly capable and competitive registrars and registries who have made it possible to reserve or create a new name in just seconds, and to create millions of them per day. Domains are cheap, domains are plentiful, and as a result most of them are dreck or worse.

Society's bottom feeders have always found ways to use public infrastructure to their own advantage, and the Internet has done what it always does which is to accelerate such misuse and enable it to scale in ways no one could have imagined just a few years ago. Just as organized crime has always required access to the world's money supply and banking system, so it is that organized e-crime now requires access to the Internet's resource allocation systems. They are using our own tools against us, while we're all competing to see which one of us can make our tools most useful.

My thinking when I created the first RBL (now called a DNSBL; mine was the MAPS RBL though and so that's how I still think of it) back in the mid/late 1990's, was that universal access between e-mail servers was a greater boon to the bad guys than to the good guys, and so I worked to create a way that cooperating good guys could make their mailers less accessible. While I didn't reach my objective of stopping spam, I did help establish the "my network, my rules" theory of limited cooperation for Internet resources. Simply put, it's up to every network owner to decide who they will or won't cooperate with, and the way to get your traffic accepted by others is to be polite and to spend some effort trying to avoid annoying folks or letting your customers annoy folks.

Here, in 2010, I've finally concluded that we have to do the same in DNS.

No comments:

Post a Comment