Telstra is preparing to get proactive with malware, announcing that it will be implementing a DNS-based blocker to prevent customer systems from contact known command-and-control servers. The “malware suppression” tool will will be introduced at no cost for fixed, mobile and NBN customers using domestic broadband and Telstra …
Probably on balance a good thing
...but not without some expected collateral damage.
using the Telstra DNS servers ages ago, after I installed Comodo Dragon, Comodo's variant of Chrome. It gives you the option to use their SecureDNS service in order to help filter out dodgy websites.
Very soon I shall be ditching their service altogether and going with someone more reliable.
Telestra is not big enough to block ...
... coffee & cats.
(That's an inside joke, for those not in the know.)
You do realize we're all in trouble now, no?
I expect at least a quarter of your readers immediately tried to surf to qwe54fggty.dyndns.biz, creating an extremely suspicious spike in activity.
Re: You do realize we're all in trouble now, no?
Come, come now Terry!
99.9% of El Reg readers are not silly, and it's so rude to even suggest such a thing!!
Have a 'Word' with this man Vulture 1, he's falling out of the nest.
... a firm based in the United States.
Which means, of course, that Oz is inviting the NSA into their networks.
Re: ... a firm based in the United States.
Who are you kidding? They pwn down under. Aussie is in bed with them spooks.
So... just use public DNS instead of ISP-provided ones...
I just want to point out that a DNS blocklist as described (and though I do work for Telstra, I have no direct visibility of what's happening here) won't block sites that share an IP address with a C&C site.
As described the "filter" looks for the DNS query to badguy.domain.com and either blocks or ignores those queries. So when you look up "goodguy.mysite.com" it won't match the bad site DNS name, and your query (and connection attempt) proceeds.
I'm not a fan of filtering/blocking etc; be it whitelisting, blacklisting, or using a black box list of "stuff someone claimed was bad". But let's argue about the right stuff :)
This might be pretty effec... oh.
This might be effective for about 30 seconds. Media releases like this just let the malware writers know what happened when a big chunk of their botnet goes quiet.
In this case they will just modify their code to query a different DNS server and bam, back on line.
Re: This might be pretty effec... oh.
bam, back on line
Temporarily. The bad guy's new DNS will start receiving a lot of suspicious traffic, at which point Telstra sends the new DNS details to ??? in California, who reply that yes the new DNS is bad, and Telstra blocks the new one.
The important question is: how quickly will each new bad DNS be identified and blocked?
Telstra's DNS is Already Broken
Telstra already redirects DNS queries for non-existent domains to some advertising page in violation of DNS specs. You can opt out of this behaviour by manually configuring a different Telstra DNS server. Sadly this service has a high rate of false negatives which is probably also in violation of specs. It will occasionally tell me that sites like google.com or even theregister.co.uk don't exist ... until I push reload. I'm sure their new blocking rules will only make their DNS service even more reliable.
- 'Windows 9' LEAK: Microsoft's playing catchup with Linux
- Review A SCORCHIO fatboy SSD: Samsung SSD850 PRO 3D V-NAND
- Was Earth once covered in HELLFIRE? No – more like a wet Sunday night in Iceland
- Every billionaire needs a PANZER TANK, right? STOP THERE, Paul Allen
- First Irish boy band U2. Now Apple pushes ANOTHER thing into iPhones, iPods, iPads