The can of worms.. DNS FILTERING

[p3rlphr33k]

I mentioned this is in the IRC channel, but I will post here going forward.

The can of worms, as mentioned in the title, is filtering DNS. I understand that this is a community that encourages openness in the arena of DNS services. I am not advocating that we forcefully filter results using the OpenNIC servers, but we offer an option to allow users to filter, if they choose to do so.

I have already begun coding such a system and I will post updates as it becomes more functional. Eventually a demo site will follow along with a DNS server that will handle the queries and forward the requests to OpenNIC.

I am interested in all thoughts on the subject, especially the "constructive criticism" kind.

[chip]

I'm curious about your filter. I'm assuming it's like a DNS proxy that the client runs or someone runs on behalf of the client? Does it filter requests and forward the requests that are accepted on to the DNS server then reply to the client? or is it similar to a fork of a full DNS server that has the functionality built in?

Also I assume it's aimed more towards the non-technical user? I don't necessarily mean technically uneducated, rather, someone who doesn't want to learn BIND configuration and host their own T2. More of a shut-up-and-take-my-money attitude.

[p3rlphr33k]

My current implementation is in the form of a DNS proxy. The proxy server accepts the DNS request, forks the process and makes the request to the actualy DNS, while checking the database to see if it exists. If not, it is added and request returned. If so, the request is returned anyways.. This is where I will develop the next phase once I have more to work with.

All I have been doing is browsing the web, and loading the domains into a SQL database. I will extend this to the next level once I have a few hundred domains to play with.

I don't think it would be a good idea to mix this type of system with the physical DNS server do to resource constraints. I would like to build in a pass-through in the event the wait times exceeded .. say 3 seconds for example.

[Nesa]

Can this be modified to help with DNS amplification attacks?

Have a table of recent ANY or TXT requests and drop the request if the hit count is high for example?

[Ole Juul]

What kinds of things would you filter?

I'm not personally into any kind of censorship except that which one does oneself. Perhaps this will be like that. In any case, I do support people's freedom to do as they wish in this regard.

[verax]

Can this be modified to help with DNS amplification attacks?

Have a table of recent ANY or TXT requests and drop the request if the hit count is high for example?

I had a similar idea a while ago: feeding a query log to a program that will track repeated queries and if it finds a spambot, it will add a firewall rule to block them.

My only issue I see is that a SQL database might be a bit too slow for this sort of thing. It's probably the only option for the blocklist idea, but for spam detection it's the wrong tool.

[Nesa]

Would an in memory cache be a better idea? (I think this might be ram heavy)
All it would need to hold is the IP address and hit count I'm looking for anything that will allow me to take my server off the white list only option.

Bandwidth is very expensive in Australia I get charged $1 per GB over my quota and when my server is being used it can get very high quickly

[verax]

Would an in memory cache be a better idea? (I think this might be ram heavy)
All it would need to hold is the IP address and hit count I'm looking for anything that will allow me to take my server off the white list only option.

Since it's just holding an IP address and some hit information, I doubt it would use very much memory, even on very busy servers.