InfraDNS

From ConShell
Jump to: navigation, search

What is InfraDNS

Note: InfraDNS is just an idea at this point. Unless something changes, it will stay that way.

It aims to be a completely volunteer, community-driven DNS filtration service. We would provide forward resolution service to willing entities (enterprises, corporations, schools & universities, etc.)

DNS provides the distributed, global directory of hostname to ip address, it is relied upon by virtual every network and end-user connected to the Internet. InfraDNS works by accepting validated miscreant host and domain names and then filtering those names at the DNS level. Subsequently, subsribers the to the InfraDNS resolution service then benefit from that by avoiding all sorts of attacks and possible network security breaches.

For example, the InfraDNS service may likely prevent many of the following threats from reaching your network or computer(s):

  • Phishing (e-mail fraud)
  • Pharming
  • Spyware/Adware damage
  • Botnets
  • Fraudulent activity

How it works

To use InfraDNS, we need all subscribers to agree to a disclaimer to indemnify us in case of damages.

Th subscriber reviews the list of the InfraDNS resolvers and enters (one ore more of) these IP addresses into their DNS server settings (either on their computer or for a wider impact, on their networks' DNS resolvers).

Availability

As of October, 2006 InfraDNS is in the process of coming online. I hope to have the rudimentary pieces in places within the next 90 days. The domain names (infradns.net and infradns.org) have been registered and this page has been setup. The next steps are to provision DNS resolution servers (at least two) and setup the web interface to provide an input mechanism to the filter set. Also need a way for contributors to sign up and possibly validated.

Participation

If you would like to contribute to the project please consider any or all of the following needs.

Servers

  • We need hosted servers (VPS fine) and bandwidth in multiple geographic locations
    • U.S. East coast near New York & Atlanta
    • U.S. West coast near LA or Santa Clara and Seattle/Portland
  • Europe
  • Asia & Pacific Rim
  • Africa
  • South America

Note: good news is that DNS is not usually bandwidth intensive.

Contributors

We also need the assistance folks who are willing and able to:

  • editors to submit malicious domain names (with short explanations) to the service and remove listings as necessary (in case of false positives)
  • security practicioners willing to provide audits (penetration and vulnerability assessments)
  • system administrators to help with upgrades, off-site backups and monitoring of the resolution service
  • programmers familiar with perl and/or python and sql (MySQL) to write data load and extraction utilties.

Funding

Corporate sponsors willing to donate funds to support build out of the infrastructure components, pay for accounting services and the like. Obtaining non-profit status for InfraDNS is on the TODO list.

All project participants and sponsors will be duly recognized as such on the InfraDNS website.


Q & A

Q. How is different from OpenDNS?

  • Similar in spirit, but OpenDNS offers type-correction and is a for-profit service.

Q. How is this different from Sitefinder?

  • Sitefinder was a typo-correction "service" provided by VeriSign back in 2003. It was a non-voluntary DNS redirection created by the inclusion of a "wildcard" DNS record in the .com and .net zones. For about two-weeks the redirection service caused a huge amount of controversy and technical problems on the Internet, reinforcing much of the negative perception of Verisign that it already had. InfraDNS DOES NOT and WILL NOT attempt to correct typos or do any kind of redirection. InfraDNS does not profit from "wildcard" DNS redirection. While InfraDNS may reserve the right to use wildcard records, it will be necessitated by the perpetrator (by using multiple or random subdomains below a particular label). In any case, wildcards or not, the DNS records returned for a filtered name will also fall into the 127.0.0.x range which precludes any sort of redirection or hijacking.

Q. Is this service reliable?

  • TBD, but will have nagios running to monitor availability at all times. Others are invited to monitor availability as well, just as long as it is not abuseful.

Related