As a former malware researcher: no, this is not an ideal solution. Yes, we don't have anything better (well, there is the Google Safe Browsing list which most of the major browsers use).  And, yes, it is a widely used method and it's effective.

Attila

On Tue, Apr 23, 2024 at 9:34 AM Daniel Stirnimann via swinog - swinog at lists.swinog.ch <swinog_at_lists_swinog_ch_tpveugmui@simplelogin.co> wrote:
>> Yes, I understand the technical issues. And yes it's ugly. But do you have a better solution?
>
> Swisscom should stop tampering with DNS, as it does not work, and is no solution to the problem.

I disagree, Swisscom still misses a lot of phishing and malware
websites. I would like them to be way more aggressive. Their support
staff has to deal with calls from infected customers. They might as well
try as good a possible to prevent it from happening in the first place.
If you belong to the <0.1% of people who want unfiltered DNS, just run
your recursive resolver.

> Part of the problem is that the user doesn’t get an error message at all, and then mails us „hey, your website is down“.

Eventually, web browser will show better responses for none resolvable
domain names e.g. by utilizing Extended DNS Errors (RFC 8914).

EDE has code points for filtered or blocked DNS responses. Until web
browser care more about DNS, I advice to be as verbose as possible when
you block something.

For example, make the DNS output more verbose so that at least
administrators realize why a domain name is blocked. Swisscom could have
used a CNAME in the answer section to blocked.swisscom.com and they
could also add an additional section with a SOA indicating the origin of
the blocking. The RNAME field could be their report false positive email
address and so on.

Daniel

_______________________________________________
swinog mailing list -- swinog@lists.swinog.ch
To unsubscribe send an email to swinog-leave@lists.swinog.ch