[AusNOG] Conroy announcement on filtering

Pinkerton, Eric Eric.Pinkerton at team.telstra.com
Mon Jan 4 15:04:13 EST 2010


>Preventing end-user DNS requests beyond an ISP's network may be needed in the long run in any case, to >limit the effectiveness of DNS-based DDoS.
>Since the ISP's users would suffer greatly from rate-limiting of DNS/UDP traffic, it's the lesser of 
>the two evils should those attacks regain popularity.

Preventing incoming DNS requests from outside your network could make sence, but stopping your internal users querying any external dns servers seems obtuse, perhaps I am missing something?  

>The issue with a DNS-based approach is one of public policy and user
>satisfaction. If one article at Wikipedia is banned do you want to
>stop all access to en.wikipedia.org?

This is an interesting point but it's not so black and white in my understanding.

The ACMA blacklist contains a mixture of both entire domains and single pages, so if follows that the intention of the chosen solution is to police both.  

I was under the impression that the solution proposed combined a DNS and proxy.  The DNS blocks or diverts banned domain requests to say an ad for counciling or whatever without impediment to other traffic, but requests for a page on a domain(or server) that also carries banned pages are diverted through a proxy server with a blacklist.  

Thus when the need arised to block a specific page on a well used site such as Wikipedia or Youtube, all traffic destined for that domain needs to be inspected and overall latency increases depending on traffic and bandwidth (Popular pages may even load faster due to this proxy so we might even see it spun as an improvement) 

I am given to believe the current blacklist already boasts specific pages on both Wikipedia and Youtube, so I intend to use my hourglass time learning to blink much slower so that the quoted impact of '1/70th of the blink on an eye' continues to hold water.

Eric







More information about the AusNOG mailing list