Upcoming DNS changes

General discussions and other topics.
67 posts Page 1 of 7
by augie » Fri Feb 22, 2013 11:56 am
Starting Tuesday February 26th we will begin the roll out of several security enhancements to our DNS servers. These changes will be rolled out to our Los Angeles customers, all other customers will be using these updated name servers by March 5th. These features will help keep our customers more secure as they surf the Internet. These changes include:

Enabling DNSSEC validation.
Enabling DNS reputation validation.
Closing our DNS servers to off network requests.

These features will appear automatically for all of our customers when the roll out is complete, so that there is no action for you to take as a customer.

Briefly the reasoning behind these features are as follows:

Enabling DNSSEC validation allows you to be sure that the websites you visit are in fact the legitimate site, and not a fake site put up by criminals. For more information please see our DNSSEC Wiki page (https://wiki.sonic.net/wiki/DNSSEC ).

Enabling DNS reputation validation will protect our customers from unknowingly visiting malicious web sites. These are sites that seek to directly harm customers' computers or use their computers to do harm to others. If you do happen to visit a malicious site, instead of the criminal's web site, you will instead see a page like this: http://dns-blocked.sonic.net/ .

Closing our DNS servers to off network requests is something we have wanted to do for a very long time. Doing so protects our servers from being used by hackers to harm others on the Internet. If you attempt to use our DNS servers while not on the Sonic.net network, you will be redirected to a page similar to this: http://dns-captive.sonic.net/ .

We understand that some of our customers may wish to not utilize these additional security features, and as such we are offering two opt-out servers that do not implement DNSSEC or reputation validation, the IP addresses of those servers are:

75.101.19.196
75.101.19.228

Please reply here with any questions or concerns you have, and we will gladly answer them.
by dasherma » Fri Feb 22, 2013 12:16 pm
One question about the post versus the email we received -

The blog post says

"Enabling DNSSEC validation.
Enabling DNS reputation validation.
Closing our DNS servers to off network requests."

but the email that went out said

"Enabling DNSSEC validation.
Enabling 2 commercial DNS RPZ services.
Closing our DNS servers to off network requests."

So could you elaborate on the differences between "Enabling DNS reputation validation." and "Enabling 2 commercial DNS RPZ services."? They might mean the same thing, but if you're using commercial services, are there going to be some limitations on the DNS that are not security-related?
by jrconlin » Fri Feb 22, 2013 12:36 pm
I presume that the RPZ services are provided from commercial entities.

Will there be provisions so that we can challenge false positives? (Aside from using something like OpenDNS or Google DNS)
by rodrigo » Fri Feb 22, 2013 1:02 pm
Will there be provisions so that we can challenge false positives? (Aside from using something like OpenDNS or Google DNS)

The page that is displayed, at http://dns-blocked.sonic.net/ , has a form for submitting such a challenge.

There are also two op-out servers, at:
75.101.19.196
75.101.19.197
by drosen35 » Fri Feb 22, 2013 2:05 pm
The email about the DNS changes states that the use of DNS RPZ is "potentially controversial." Can you please say more about what DNS RPZ is, how it works, and why it is potentially controversial? While I appreciate the opportunity to opt-out, I don't know enough about the subject to understand why I would or wouldn't want to do so.

Thank you,
David
by kgc » Fri Feb 22, 2013 2:14 pm
dasherma wrote:
They might mean the same thing, but if you're using commercial services, are there going to be some limitations on the DNS that are not security-related?


To some extent that remains to be seen but it is not our intention or wish that any limitations would be put in place that are clearly security-related. To be clear, what we're able to do with RPZ is prevent our servers from resolving either host names or host names which resolve to specific IP addresses. The two primary goals are to prevent infected machines from being able to communicate with their command and control systems as well as preventing both the initial infection or loss of data in the case of phishing sites.

As to why the use of RPZ could be viewed as controversial - some people may feel that it is a "breach of contract" by their ISP to monkey with DNS requests along the same lines as rewriting the content of web pages via transparent proxy servers, NXDOMAIN redirection, and traffic shaping via deep packet inspection. One could, for example, use it to block access to sites believed to contain "objectionable" content.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by klui » Fri Feb 22, 2013 4:25 pm
What will happen to the current DNSSEC servers?

I'm currently using 64.142.73.180, 64.142.73.181.


Thanks
by augie » Fri Feb 22, 2013 5:28 pm
Those IP addresses will continue to function, and will have the RPZ features added in.
by Guest » Fri Feb 22, 2013 10:39 pm
So the servers that WILL be affected are 208.201.224.11 and 208.201.224.33, right?
by augie » Fri Feb 22, 2013 11:17 pm
Yes.
67 posts Page 1 of 7

Who is online

In total there are 6 users online :: 0 registered, 0 hidden and 6 guests (based on users active over the past 5 minutes)
Most users ever online was 422 on Sat May 26, 2012 5:28 am

Users browsing this forum: No registered users and 6 guests