RPZs a personal history

Ten years ago today at a “secure off site meeting” ( i.e. in the pub ) I asked a colleague if there was any reason why we couldn’t use DNS load balancers to “load balance” bad domains to an address of our choosing. After some thought there didn’t seem to be any reason why we couldn’t do it or why it wouldn’t work. So the next morning as it still seemed like a good idea we added load balancing rules for three choice domains with less than savoury reputation. This quickly proved to be quite a successful tactic so we dubbed it “the naughty step”, and assumed that as it was such an “obvious” thing to do loads of other people must also be doing it. After we’d been going on like this for a while Paul Vixie published his excellent article on taking back DNS, which gave us a… Continue reading

Cloudflare DoH!

This is a follow up to my previous article “Some problems with DoH!“. Given that Cloudflare are the preferred partner of Mozilla who are threatening to impose DNS-over-HTTPS on the majority of people I thought it worth while to have a look at what they have to say for themselves. All of this information is taken from https://developers.cloudflare.com/1.1.1.1/ as it was on 14th August 2018 ( archive.org link ). Some of my commentary may verge on the pedantic*, but given the nature of what is being proposed I think a little** pedantry and cynicism is called for. I may be mainly asking cynical and paranoid questions, given the weasel words and behaviour we’ve all seen from other companies I think this is justified for someone selling themselves on privacy. Continue reading

Some problems with DoH!

With recent announcements from Mozilla about wanting to use DNS-over-HTTPS by default and partnering with Cloudflare to at least test this, I’ve been giving the matter of DoH quite a bit of thought. This is therefore the first of two possibly three articles dealing with various aspects of DNS over HTTPS. For those that are unaware the idea behind DNS-over-HTTPS ( henceforth DoH ) is that DNS isn’t by default secure or private so let tunnel it over HTTPS so that those pesky firewalls don’t get in the way and secure it that way. This will allegedly make DNS faster, more private and just all round better. Personally I think it will do few if any of those things and that the problems it will create will far out weight any perceived benefits. As Bert Hurbert said this looks a lot more like a land grab by CDN and browser… Continue reading

SPF, DKIM & DMARC – A triple band aid

Following on from my previous article and because I’ve got to write this anyway I thought I’d take a look at the roles of SPF, DKIM and DMARC for people who don’t really need to know the technicalities. There are many articles out there that cover the technical workings of SPF, DKIM and DMARC and some looking at them all together. Hopefully I’m not going to cover the same ground as those too much. Hopefully though this will provide a reasonable over view of what these records are trying to achieve and how they work together. Firstly the problem all of these things are trying to solve is that e-mail is insecure and easily abused. This is in part because it was designed in an earlier more trusting time and in part because it is designed to allow anyone to reach out and contact anyone else. Much like telephones if… Continue reading