Upcoming DNS changes

[raillard]

Closing our DNS servers to off network requests is something we have wanted to do for a very long time. Doing so protects our servers from being used by hackers to harm others on the Internet. If you attempt to use our DNS servers while not on the Sonic.net network, you will be redirected to a page similar to this: http://dns-captive.sonic.net/ .

Did I overlook an e-mail announcment about this change? I've been a member of Sonic for 16 years, and it was unpleasant to see the bland, generic "Update your DNS Settings" error message this morning. I second the earlier comment about identifying the source of the error message. It took a bit of troubleshooting to regain internet access, and some Googling before I could tell the error was legitimate and from Sonic. We use Comcast for high-speed at our home, but I have kept Sonic for several reasons, including the use of your DNS servers. I'm sorry to see that disappear. Could you please shed some light as to why off-network use of the DNS servers is so bad? Is it really that much easier to hack, or such a bad drain on resources? Makes me wish that DNS servers could be authenticated like other servers.

-- Hans

[kgc]

Hans, I'm sorry that you've been caught up in the change. To answer the second question, yes, public recursive servers are a real problem and we've had off-an-on issues with being used as an source of DNS amplification attacks for a long time. While I think I could make an argument that closing this off improves the security of our customers, it is really about us not being the used to create a Denial of Service attack on third parties. Wikipedia has some information on this and I'm sure google will tell you more if you are interested. http://en.wikipedia.org/wiki/Denial-of-service_attack

[thulsa_doom]

Publicly we announced these changes back in late February four days ahead of implementing them for our Los Angeles-based servers, right after Augie opened this very thread: http://corp.sonic.net/status/2013/02/22 ... s-changes/

A copy was sent to everybody on the MOTD mailing list, though the follow-up update from the 26th (that the Los Angeles leg was successful) was just posted to the system status blog.

[chc2net]

Some feedback.

First off, the DNS redirect page that blocks the recursion should indicate Sonic.net. This caused a bit of issues with people not knowing and then misdirecting the issue before it was realized. Anyway, it is just general good IT practice to do so on error pages which Sonic used to do well.

Next - I am too a long time Sonic.net customer. Back to the day I could talk routers with Dane Jasper personally just calling in. Long time. However I had to move my location out of Sonic.net's service area which I regretted, but it is as it is. However I still am a customer in that I still pay for mailboxes here monthly, for many years. This DNS decision caught me by surprise. I got no notice. I like using sonic.net DNS servers for recursion because they are fast and I personally just like sonic.net privacy policies as well. So I am dissapointed for sure to be thrown to the exclusion pile. I felt justified to use Sonic DNS servers, as I am a paying customer and my traffic is really small business minimal.

[Guest]

I don't understand why Sonic has taken it upon themselves to block Internet sites considered criminal or destructive. Who has made these determinations and by what criteria is vague at best. Denying access to any website is censorship by definition and that should not be something any ISP engages in. EVER! Yes I know it's for all the best reasons and is completely well intentioned but all censors claim the best of motives. AND IT IS COMPLETELY UNNECESSARY!

I appreciate being warned of dangerous sites but after reading your blocking screens I would like a button at the bottom that says something to the effect that despite the warning I have elected to continue to the site. It would be similar to the screen we get when a security certificate fails for whatever reason. Yes I know I can use the DNS servers that don't block but then I'm denied information as to sites that may actually be dangerous. Why are we forced to make the choice of no information at all or censorship?

We know from history that censorship can be used for nefarious reasons which is why we protect freedom of speech, sometimes to ridiculous extremes. We don't want to go down that road.

[kgc]

I appreciate the feedback regarding branding on the blocked recursion page - we had reasons for not branding - specifically we didn't want a customer of another ISP to call and tie up our support resources even though they were not our customer. It was our hope that "call your network admin or isp" was good enough to push people in the right direction. The captive portal for these off-site requests was fairly controversial internally and may or may not have been a good move on our part - would you have been happier if dns request just stopped working?

Second, I am sympathetic and you aren't the only customer in a similar situation. I don't have any good response other than this policy protects our resources from misuse and there is no practical way for us to differentiate between a customer like you and a random spoofed packet that is part of a DoS attack.

[kgc]

I don't understand why Sonic has taken it upon themselves to block Internet sites considered criminal or destructive.

There are a few reasons that we have taken this step and our primary goal is to protect our users from viruses and other malware. We've provided name servers (with the same level of redundancy and reliability as our primary servers) for customers who do not wish to have these policies applied.

[echelon3]

I didn't understand this change to mean that Sonic will be blocking certain web sites.
A) Is this true?
B) If it's true, is there somewhere I can read the list of blocked sites?

[Guest]

I don't understand why Sonic has taken it upon themselves to block Internet sites considered criminal or destructive.

The opt-out (no RPZ/censorship) DNS server addresses are in the first post of this thread, and also at
https://wiki.sonic.net/wiki/List_of_rec ... NS_servers

[raillard]

The captive portal for these off-site requests was fairly controversial internally and may or may not have been a good move on our part - would you have been happier if dns request just stopped working?

Yes, I actually would have preferred that, but I'm technical enough that I would have soon discovered that the DNS were not responding. I would have assumed they were both down, and temporarily changed to Comcast or Google DNS. Later, I would have visited Sonic and these forums and discovered that the change was permanent.

Not sure how many non-technical people would be greeted by the captive portal message, but they seem to be the intended audience. Both technical and non-technical users would benefit from a simple, truthful message, such as
"Sorry, Sonic.net no longer allows the use of our Domain Name Servers unless you are directly connected to Sonic.net. Please contact your current Internet Service Provider for help in changing your settings to match their recommendations."

Thank you for clarifying why the changes were important. Please do consider improving the captive portal error message. The current one is so bland that I first thought it was part of some fake security malware.

-- Hans