I have been writing about ways of dealing with web-based malware threats: my last blog focused on DNS blacklists. The basic idea is sound; but not in all cases. Roaming users, home users or simply smaller organizations that don’t host their own local DNS would all be left out in the cold. Most IT professionals look for DNS-layer …
The Norton DNS service looks like a nice idea, plugging the XSS gap that most users are blissfully unaware of. I wonder why ISPs don't do this by default, or do they?
Quite how long notorious money-grabbers Norton will keep it free is another matter...
Their Android app doesn't seem to be live yet either.
ISP Filtering ?
Do you really want your ISP messing with your traffic any more than they already do ?
Just give me a big dumb pipe and leave it at that, i can soft the rest out without "opting out" of anything !
Its a short step from filtering malware and phishing to general spam and then on to illegal material, unliscenced media, "extreme pornography" etc.
Poisoned Article on TheRegister?
I've always used AVG, Winpatrol and Spybot and i've never had a problem.
Has anyone else noticed a problem with trying to access this Register article from yesterday? http://www.theregister.co.uk/2010/08/17/apple_sql_attack/
AVG seems to think theres an exploit link on there (Type 1526, whatever that is)
And the link links to a Google search that is a cache of the infected Apple web pages.
The register link is not dangerous but the links on the search that it leads to link to bad stuff. If I remember rightly AVG follows links nowadays so probably that (another reason I no longer use it.)
Thanks for the speedy reply
Google Public DNS...
... is prominent by it's absence... is it over privacy fears?
It's a very useful service, nevertheless.
@rahul re: Google DNS.
I have gotten a few e-mails on the subject of Google DNS. I will post into the comments what has been my cut-and-paste response so far:
Google’s DNS is relatively new. And it’s Google; privacy concerns abound when anything involves them. (Do no evil my ASCII.) Even putting the tinfoil hat aside, Google DNS is a completely different animal than all the rest. With OpenDNS or DNS Advantage you get some pretty decent control over what the DNS presented you looks like, from companies that specialise in the field. They have every reason to work together with everyone else to make their DNS the best it can possibly be. With Symantec, you have the results of all of Symantec’s various security arms as well as their crowdsourced and human-vetted site listing rolled out into a DNS source. If there is any one malware list I can trust pretty absolutely to be accurate, it’s Symantec. Similarly, malwaredomains.com has made a name for itself in the field and deserves respect and trust.
With Google, you get what the algorithm provides or “the competition is just a click away!” I am still trying to gather information about exactly where they get their malware lists, what level of trust to put into their DNS service, and trailing it on a few networks. So far I have had quite a few legitimate sites blocked with GoogleDNS including updates for my anti-malware application!
When I do talk about GoogleDNS, it will be after much through research so that I can do my best to put aside any prejudices or fears I might have about the gigantic goliath that has bought the Internet and focus solely on the technology. Then, given the mammoth size of the organisation backing the project, it will get an article all its own. At the moment however, I have many concerns regarding Google DNS and can’t actually recommend it to anyone just yet.
Is clear cloud any good?
Is Clear Cloud any good? (http://www.clearclouddns.com/)
I use Google DNS at the moment, and to be honest don't notice any real difference in speed/increased security over the ISP one
@Vanburen re: clearcloud
I have absolutely no idea; never heard of it until jsut now. Time to find out...
"Searching about for an alternative, I discovered a great one from an unexpected source. Apparently Symantec is going into the DNS business: it is in beta with a service called Norton DNS. Norton DNS uses Symantec’s exhaustive Safe Web database."
Is keeping up with a blacklist hosts file
Really that much? How difficult is it to distribute. Granted, they are getting quite lengthy.
Mine is over 16,000 lines. Updated monthly from MVPS.org. Use HostsXpert to manage and Homer to speed things up. Trivial to do. But are the malware sites that are the subject of the original post included in the MVPS blacklist?
Did you cover a "DNS proxy"?
I think that's the term for software that can run on your own PC to receive DNS requests and, uh, do things.
I think the idea is that your application software thinks that 127.0.0.1 is the name server(?), but what actually happens is more sophisticated - although names that may be granted will be taken from your ISP's "real" DNS.
Now you may then have difficulty with such as "www.Find Therapist.org" or "www.Power Gen Italia.com" ...
The widget that Norton DNS installs on your system would qualify. The proper term must have escaped me while writing the article. Thanks for the catch!
For the article, I have been using OpenDNS for years now and have found it to be fit for my purpose at home but its good to be aware of alternatives. I too despise anything Symantec these days but will take a lok at thier beta, so thanks.
Easy alternative for Linux users
I use Linux and made my own very simple system that works well for me, I symlinked the hosts file from /etc to my home folder and made a simple script the downloads the bad hosts file from http://hosts-file.net/ .
That removes my symlinked file once a month and copies it as my symlinked hosts file, a separate cron job downloads and appends the regularly updated partial hosts file to it every couple of days first removing the whole file then copying the hosts.txt file as hosts and appending the new partial list.
Its simple and easy to do and I have had no problems with it so far.
On a side note on my dual boot desktop (needed for CS5) I mount the windows partition automatically and the same script has a little extra to append to the Windows 7 hosts file
By the way, (performance)
Speaking as a database programmer, using a plain text hosts file to store a LOT of "this is a bad web site" records feels like it should be a drag on system performance. You want something that's indexed, yo.
On the other hand, you could have no DNS at all for applications, and load a few parts of the Internet that you really use into a very small whitelist in hosts. Every web page on Earth is now in Google cache, it's all that you need [this is not actually true].
But all of this only protects you against villains who can't say what will be next week's villainy's IP address - otherwise they can just use that, unless you stop it some other way... wait, can you look up the name on DNS when you have an IP address? Clearly, setting this up one time for e-mail routing was so traumatic (and, yes, basic) that I have erased the memory.
hosts file is quick to parse
On any modern system a hosts file is very quick to parse, Indexing via a database (speaking as a web systems nerd) would use more systems resources not less on an average system.
It works for me anyway, I also run Nginx on my local system for various reasons and this means I can see when sites serve ads from dodgy sources, even you tube - http://i38.tinypic.com/j7uw3n.png .
In short no one method can protect you but by using a combination of blockers, plugins like noscript and good anti-virus and firewall protection alongside best user practices (educate your friends!) such as not running as administrator most of the time you can mitigate most attack vectors.
Unfortunately all of these offerings represent opportunity for censorship and there is little or nothing to prevent that power being abused. They can classify anything, however they like, according to arbitrary and often harmful criteria and there is no effective means of redress.
That's not true.
First off, if you take a look at the OpenVPN or UltraDNS full-on enterprise setups, they offer some really granular control over what will or won't be banned. They also offer both custom white and blacklists so that you can ban or unban websites as you feel is appropriate.
NortonDNS is young, but will most likely offer similar features; they are a commercial entity after all, and can't go around arbitrarily banning things without the ability to unban selectively or no one will buy their product.
Malwaredomains.com offers you a flat list of domains. What you choose to do with it is up to you; you can write a script that removes domains of your choice from that list. All of these organisations offer methodologies to have your domain removed from the list if you can prove you aren’t offering up Malware.
So it’s a form of VOLUNTARY censorship then. You can choose what you do and don’t want to be able to access through each of these methods, none of which you are forced to use in the first place.
Now, GoogleDNS on the other hand offers no such features. It simply is, and you either trust Google to know best, or you don’t. You don’t have to use GoogleDNS, but simultainiously you cannot customise what it delivers you. THERE lies your gaping hole through which true censorship might creep, and the big reason that it GoogleDNS didn’t make it into this article.
There is I think a distinct difference from the kind of censorship you are worried about, “they can just ban a domain and there’s nothing you can do about it if you use their service” (GoogleDNS) and the voluntary censorship offered by the services discussed in the article. Furthermore, it should be noted that each of these services publishes a list of which new domains are added on a regular basis such that you can identify any you wish to whitelist and do so.
For all of the above reasons, I don’t think you can wave the censorship banner at any of the services mentioned in the article.