North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Schneier: ISPs should bear security burden

  • From: Steven J. Sobol
  • Date: Thu Apr 28 02:19:52 2005

On Wed, 27 Apr 2005, Owen DeLong wrote:

> >
> > What's rDNS for the ip address(es) assigned to you?
> >
> I don't know about him, but, on my ADSL connection, it is controlled
> by my nameservers:
> 
> ;; ANSWER SECTION:
> 10.159.192.in-addr.arpa. 86400  IN      NS      ns.rop.edu.
> 10.159.192.in-addr.arpa. 86400  IN      NS      ns.delong.sj.ca.us.
 
> Who are you to decide that there is no damage to blocking residential
> customers?  I'm a residential customer, but, I have a number of
> servers running, and, a port 25 block would be very destructive to
> the operation of my mailserver.

Ah, but *you* wouldn't get blocked. You maintain your own rDNS and 
presumably have enough clue to not make the rDNS look like a pool of 
dynamic residential IPs that aren't terribly important. To wit:

[email protected]: ~ $host 192.159.10.1
1.10.159.192.in-addr.arpa domain name pointer ns.delong.sj.ca.us.

[email protected]: ~ $host 192.159.10.2
2.10.159.192.in-addr.arpa domain name pointer owen.delong.sj.ca.us.

[email protected]: ~ $host 192.159.10.8
8.10.159.192.in-addr.arpa domain name pointer www.diagnostix.com.

Those are OBVIOUSLY not hostnames that comply with de-facto standards for
dynamically assigned dialup and broadband pools like

ip-192-168-0-1.AppleValleyCA.BigDSLProvider.net 

or

port1.as29.phoenix.DialupFarm.com

(for example). 

The idea is that your ISP should either allow you to run your own DNS or 
give you DNS that doesn't look like something out of a big pool of 
addresses, which makes it much, MUCH easier to decide what to block and 
what not to block. Any IP that a provider allows servers on should have 
distinctive, non-dynamic-looking DNS (and preferably be in a separate 
netblock from the dynamically-assigned IPs).

That way you can be reasonably sure that you're not blocking someone whose 
ISP has allowed them to run servers.

(Some providers are much better than others at doing this kind of 
thing...)

> Why should an ISP decide what a residential
> customer can or can't do with their internet connection.  (This is not
> an advocation for abandoning TOS or allowing abuse.  I am talking about
> within the confines of legitimate internet use, such as hosting a web
> site (or even several), running nameservers, mail server(s), etc.)

Your ISP, or the provider of the person deciding whether to block you?

Is there anything wrong with an ISP saying "you can't run servers on 
certain types of Internet connection"?

-- 
JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638)
Steven J. Sobol, Geek In Charge / [email protected] / PGP: 0xE3AE35ED

"The wisdom of a fool won't set you free"   
    --New Order, "Bizarre Love Triangle"