new category: block top level domains by country.

Comments

23 comments

  • Avatar
    rotblitz

    "why can't OpenDNS?"

    Can't it?  It can!

    See https://support.opendns.com/entries/26514730-Web-Content-Filtering-and-Security 
    OpenDNS can block all Top-Level-Domains (TLDs) except .com. Entering a TLD such as net, cn, ru, and so on, will block all sub-domains that end with that TLD name.
    (I have corrected the bugs here.)

    Or https://support.opendns.com/entries/22292760-Blocking-all-CN-traffic

    "as in .co.uk or .co.ru or .co.jp etc."

    Yep, so add co.uk, co.ru or co.jp to your "always block" list.  Works fine...

    0
    Comment actions Permalink
  • Avatar
    nmcsafety

    I'm trying to add .ru to my block list but it is not working, the box just flashes with a red line around it, there is no message about what is wrong.  How do I block all .ru requests?

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    Did you try adding it as .ru or ru? I just successfully added it as ru

    The only time you need to add a . in entering a domain name is if you are adding a subdomain, such as google.ru

    In that case the . is a part of the domain name, but if it's just a TLD like ru the . is not actually a part of the domain name.

    0
    Comment actions Permalink
  • Avatar
    nmcsafety

    I tried both and neither worked.  I opened a support ticket and was told that this is currently a bug.  They were able to add it manually for now.

    0
    Comment actions Permalink
  • Avatar
    howard-

    1,000 new TLDs have been added in 2015 according to http://www.newtldlist.com/ I'd like to block them all without adding them one at a time. In fact, I'd like to block EVERYTHING *EXCEPT* a handful of TLDs like .com, .net, .org, .gov and maybe .mil. In other words, I'd like to create a whitelist because it's easier for me to administer.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    A paid OpenDNS product (OpenDNS VIP https://www.opendns.com/home-internet-security/), offers a whitelist only option, in addition to many of their other features of their paid products. Like the free home product it does have a limited number of slots for whitelist and blacklist, but with the paid product you get more of them. Since you're purpose is to block all but a handful of TLD's you would probably have enough to do that. Note this whitelisting is only for domains, it does not allow whitelisting of OpenDNS categories.

    I don't see this option being added to the free product since there is no functional different between a TLD and any other domain name, so adding a whitelist only option for TLD's would also allow whitelist only mode for domains, and it appears that OpenDNS wants to keep whitelist only mode in the pay product.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    OpenDNS has a whitelist only mode in their OpenDNS VIP product (https://www.opendns.com/home-internet-security/) that would allow you to do this. In addition to whitelist only you'd get additional features that are include with their paid products and an increased number of entries for whitelist and blacklist. If this is the only thing you want to do this should be sufficient for your purposes. Note, this whitelist only mode only applies to specific domains, it does not allow you to whitelist entire categories.

    I don't see this feature being added to the free home product since there is no functional (or DNS) difference between a TLD and any other domain name, and it's pretty obvious that OpenDNS wants to keep whitelist only in one of their paid product.s

    0
    Comment actions Permalink
  • Avatar
    philcolbourn

    A list of country and other TLD would be good to allow/block.

    Categories of these based on country national language(s) could be created based on web site character sets to simplify blocking.

    eg. allow English sites

    block german, french, spanish - since my network only needs to access English domains then blocking non-english domains is a simple categorisation to apply and I suspect it could be done automatically.

     

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    You can already block any TLD you want by just adding it to your blacklist. Why would it be necessary to create a new "category" for each TLD that won't really "contain" anything, other than everything that is already a subdomain of the TLD and thus can already be blocked in the blacklist? Do you have any idea how many TLD's there? Do you really want to create that many new categories?

    How many of these language categories would you have created? One for every language in existence? There are literally thousands of languages spoken on this planet. Creating that many categories would just the category list so large as to be useless.

    Or would you only have it done for languages that are the official languages of a country? What of countries that have no official language, such as the United States? What of countries that have multiple official languages, such as Switzerland.

    Why do you suspect this "simple" categorization could be done automatically? What about websites that deliberately contain content from multiple languages? What about OpenDNS' multiple statements that they will not categorized domains automatically? Doesn't this fly in the face of that?

    0
    Comment actions Permalink
  • Avatar
    philcolbourn

    @mattwilson9090,

    1) Yes, but there are limits on how many entries can be added to 'always block' list. In my case it is 25. You pointed this out in an earlier comment and you are aware of these limits and that it unlikely that OP would be able to implement what they wanted in 'always block' list.

    2) What about a separate configuration page for country domains? It would contain about 250 entries if each country was listed. But I think you have missed this point: with limited ability to add domains to a blacklist, you can not establish a whitelist of countries that you want to allow and blacklist all others - there is not enough allowed entries to do this.

    3) Here I think you are not being helpful and instead are trying to score a point. You could have stated how many TLDs there are and then argue that there are too many. There are about 250 country TLDs. In total there are about 1000 non-country code TLDs by my counting (and Howard-). There are many other TLDs and I take your implied point that there are too many, and considering that this list is going to grow, that this idea is not practical. But it is also simple to implement a page to do this if a user wishes to. So why not? I suspect these domains end up being categorised, but categorisations are subject to change whereas explicit black or white listing is static.

    4) Country code categories would be straight forward for OpenDNS to implement since it is a standard and the community would not need to manage it. There could be way to simplify this by grouping countries by language (as I suggested) or by region, or some other way. The community could also be used to do this categorisation if automation is not trusted or desired.

    5) I'm not talking about spoken languages, but written ones, and then only those that are detectable by looking at character set being used on web sites (UNICODE and Punycode for DNs). How many languages OpenDNS supports? (I can't find any info on OpenDNS language support) Perhaps just a list of those languages is enough?

    6) If it is not possible to automatically detect language then don't. But if it is, why not? Web pages can contain attributes specifying language (for a page) and if multiple languages are supported this is sometimes done via a different domain names.

    7) I have explained why I think it can be done. Perhaps you can provide a link to OpenDNS statements about categorising domains? OpenDNS does automatically filter domains and phishing domains, so they are not against automation.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "there are limits on how many entries can be added to 'always block' list. In my case it is 25."

    With OpenDNS VIP it is 50.

    "you can not establish a whitelist of countries that you want to allow and blacklist all others"

    You can - easily!  You go for OpenDNS VIP, enable the whitelist-only mode, and add the few TLDs you want to allow to the whitelist.  50 should be sufficient, right?

    "If it is not possible to automatically detect language then don't."

    OpenDNS has nothing to do with websites and their languages.  A DNS service deals with domain names only.

    "Perhaps you can provide a link to OpenDNS statements about categorising domains?"

    Here you go: https://community.opendns.com/domaintagging/faq/

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    "OpenDNS does automatically filter domains and phishing domains, so they are not against automation."

    You're totally in error here.  This is all human community effort, no automation involved.

    0
    Comment actions Permalink
  • Avatar
    philcolbourn

    What is this about then? https://labs.opendns.com/2014/10/16/detecting-pinyin-domains/

    "At OpenDNS our resolvers are flooded with massive amounts of Chinese domains on a daily basis, many of which security researchers are unfamiliar with. One of the projects our team was initially tasked with was to come up with a method to filter these Chinese domains out from the rest of the traffic in order to reduce the false positive rate for our classifier algorithms and to potentially detect IPs exhibiting spamming or search engine optimization (SEO) behavior."

    It mentions automatic classification.

    OpenDNS also offers Malware/Botnet Protection, Phishing Protection, and suspicious response protection - are these not forms of automatic classification?

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    I see, you avoid to read anything but continue to ask already answered questions...
    It seems you're really a noob with all of this, especially with OpenDNS.  But we all were noobs some day...

    "What is this about then?"

    This is OpenDNS Labs, a different business area.  They're using these researches and findings in their Umbrella service/product for predictive security measures.  Umbrella is their Enterprise line of services.
    https://labs.opendns.com/about-us/
    You can get this level of malware/botnet protection with purchasing the Umbrella service.  https://www.opendns.com/enterprise-security/
    This is not included in any of their Home or free services.  They don't give such things away for free, of course.

    "OpenDNS also offers Malware/Botnet Protection, Phishing Protection, and suspicious response protection - are these not forms of automatic classification?"

    No, not really.

    • Malware/Botnet Protection
      At this time, this feature blocks the Conficker virus and the Internet Explorer Zero Day Exploit
      These are known domain names.  Conficker names are generated according to an algorithm, and IE 0-day exploits are reported by Microsoft and others.
    • Phishing protection
      This is pure human community effort, same as domain tagging.  Results come from https://www.phishtank.com/
    • Suspicious response protection
      This is a handful of static private IP address ranges, nothing with automation.

      When enabled, DNS responses containing IP addresses listed in RFC1918 will be filtered out. This helps to prevent DNS Rebinding attacks. For example, if badstuff.attacker.com points to 192.168.1.1, this option would filter out that response.
      The three blocks of IP addresses filtered in responses are:

      10.0.0.0     - 10.255.255.255  (10/8)
      172.16.0.0   - 172.31.255.255  (172.16/12)
      192.168.0.0  - 192.168.255.255 (192.168/16)

    Also, I do not understand why you now come up with "Malware/Botnet Protection, Phishing Protection, and suspicious response protection" which belong to the security area?  We were at blocking TLDs which is nothing about "protection" and security but some filtering you may be looking for.  No matter, neither of them are automatic in any way.  And I lined out the solution for this "idea".  It's not an idea, because it's already there, since forever.  You just need to use it if you want, in the way I described it.  It's your choice.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    I see, you avoid to read anything but continue to ask already answered questions...
    It seems you're really a noob with all of this, especially with OpenDNS.  But we all were noobs some day...

    "What is this about then?"

    This is OpenDNS Labs, a different business area.  They're using these researches and findings in their Umbrella service/product for predictive security measures.  Umbrella is their Enterprise line of services.
    https://labs.opendns.com/about-us/

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    You can get this level of malware/botnet protection with purchasing the Umbrella service.  https://www.opendns.com/enterprise-security/

    This is not included in any of their Home or free services.  They don't give such things away for free, of course.

    "OpenDNS also offers Malware/Botnet Protection, Phishing Protection, and suspicious response protection - are these not forms of automatic classification?"

    No, not really.

    • Malware/Botnet Protection
      At this time, this feature blocks the Conficker virus and the Internet Explorer Zero Day Exploit
      These are known domain names.  Conficker names are generated according to an algorithm, and IE 0-day exploits are reported by Microsoft and others.
    • Phishing protection
      This is pure human community effort, same as domain tagging.  Results come from https://www.phishtank.com/
    • Suspicious response protection
      This is a handful of static private IP address ranges, nothing with automation.

      When enabled, DNS responses containing IP addresses listed in RFC1918 will be filtered out. This helps to prevent DNS Rebinding attacks. For example, if badstuff.attacker.com points to 192.168.1.1, this option would filter out that response.
      The three blocks of IP addresses filtered in responses are:

      10.0.0.0     - 10.255.255.255  (10/8)
      172.16.0.0   - 172.31.255.255  (172.16/12)
      192.168.0.0  - 192.168.255.255 (192.168/16)

    Also, I do not understand why you now come up with "Malware/Botnet Protection, Phishing Protection, and suspicious response protection" which belong to the security area?  We were at blocking TLDs which is nothing about "protection" and security but some filtering you may be looking for.  No matter, neither of them are automatic in any way.  And I lined out the solution for this "idea".  It's not an idea, because it's already there, since forever.  You just need to use it if you want, in the way I described it.  It's your choice.

    0
    Comment actions Permalink
  • Avatar
    philcolbourn

    With this sort of 'discussion', I'm turned off. Rather than work on pros and cons of an idea (that I was supporting) to see if there is a workable proposal, there is endless questions and now insults.

    I looked through that blog again - there is no mention that this is not used at OpenDNS, and Umbrella is not mentioned. With rotblitz's link, again no mention of umbrella (except in HTML source - perhaps I should have looked there).

    I must therefore be a 'noob' if I didn't work this out. No answer to my second question? 

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    1) Yes, there is a limit to the number of domains you can have in the blacklist, you need to be selective. However very few people want to be as restrictive on internet access as you do. Instead of working with what you have, your solution is to add hundreds, perhaps thousands, of categories to the category list so that you can control everything that is seen on your network. With the large numbers of TLD's out there, most of which are not "harmful" you can do what you which without needing so much for people to wade through. If you were concerned about, say, Chinese or Russian websites you can easily add .cn or .ru to your blacklist. Even then however many Chinese and Russian websites are going to use .com, .biz and other TLD's that the internet cannot work without.

    2) Why do we even need categories for each country. There are only a handful of country domains that cause problems, and some of them, such as ly, that are essentially used as "utility domains" that if blocked would make routinely used portions of the domain unusable. Block the ones by TLD that you are concerned about and move on. Whitelisting only is not available with the free OpenDNS Home product, if you want then you need OpenDNS VIP, but then you will spend a lot of time learning all of the non-obvious domains that you'll need to whitelist in order to things to work. I get the point, you want to highly restrict what is available on your network, and to do so you expect a massive redesign of what is for most people a free product. A redesign that very few will use, and will cause an overwhelming number of categories to work with, even if many of those categories are listed on a different page, which would cause even more confusion.

    3) I don't really care if you've decided I'm trying to be helpful or scoring points. You asked for category blocking by language. I responded to your suggestion for that. Blocking by language is separate that blocking by country, and I was pointing out the difficulties and confusion that such a course would take. It's also simple to block a TLD by adding it the blacklist. Why create a page for "categories" that only correspond to TLD's when they are easily added to a blacklist, and that would need to be continually maintained. It might be easy to create, but maintenance it would create, not to mention the confusion and support issues is not as trivial as you have decided it will be.

    4) Again, why add so many categories when the only thing they have in common is being a TLD? It's not really a category at all, and would add so many categories as to be mind numbing to other usages who don't want to be as restrictive as you want to be. Either add the ones you are concerned about to your blacklist, or get OpenDNS VIP and go to whitelist only mode. Grouping things by language (and again, there are literally thousands) or languages in the world, region, or something else then leads to artificial categories that are not useful for categorization. I can block webmail by category because they have something in common, but if I block everything from Eurasia then I'd be blocking search engines, webmail, technology manufactuers, as well as porn and scam sites. It's like using a sledge hammer to swat a fly.

    5) So now you only want to limit this "categorization" to written languages? Even then nearly every language in existence has been transliterated into other alphabets. For instance it's the reason I can read a Japanese name or word on a website without having to display or read the Kanji characters. OpenDNS does not support any specific lanaguages (though so far as I know their websites is maintained only in English). Being DNS based it does not support languages, it supports DNS, which can support the UNICODE alphabet, but most websites, even Cyrillic or Vietnamese ones tend to use English characters for their domains rather than the "native" alphabet.

    6) What is the point of even trying to block by language? Or country? Let alone creating a category for each language or country? "Problem" websites do not have any language in common, that by blocking a specific language you'd block all problem domains, and not all languages use a common TLD, or even use the TLD of their "native" country. Many websites, of whatever language or country, problem or not, still use the most common domains, such as .com or .biz

    7) No, you have not explained why you think this can be done. You have explained that you wanted it, and stated it as "fact" that it can be done. I'm asking the how's and why's that you did not explain in your initial post in this and other threads. I do not have specific links to provide for you. I'm not an OpenDNS employee and do not track every single page that they create and revise. I am speaking based upon years of experience as an OpenDNS user and partner, and as someone with years of experience reading OpenDNS statements in this forum, press releases, blog posts etc. If you want that kind of information "directly from them" rather than the statements of someone with my experience you are welcome to google it yourself.

    As for what OpenDNS filters, even phishing domains, it is not done automatically. The phishing mechanism is a bit different than categorization, but it is not an automated process, humans are still involved and making decisions. However phishing is entirely different and not the same as the types (and numbers) of categories you are requesting for a free product.

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    As for your comment about not liking this type of discussion. Where are the endless questions. You posted something, I responded to your comments with questions about what you posted, basically asking for explanations about your statements of "fact", or deeper explanations of what you wanted done, or what you wanted to accomplish. If that's endless then I have no idea what you expected, though it sounds like you didn't want any discussion aside from rainbows and puppies.

    As for insults, I didn't see any, but in today's society people often find offense in even casual conversation.

    As for the blog you refer to, that is an OpenDNS Labs blog. It is not the main DNS product page, and describes projects that they are working on. As with most blogs, it's basically a newsletter of things of current interest, it is not intended as a comprehensive explanation of what that research division does, or the uses that their results are intended for. Some of what they do, such as the limited phishing filtering available to OpenDNS Home, is filtered back into the free OpenDNS product, but most of it is general research used by the entire industry, or goes back into their Umbrella line of products. If you want to know more about OpenDNS Labs then read up on them, don't rely only on blog posts.

    And no, what you are talking about is not automatic classification or categorization that automatically sets things for OpenDNS Home. There are all tools that provide information that security researchers use in their research and the decisions that they make. The categorization system is completely manual, it is not an automated system. The same applies to the limited phishing protection available in OpenDNS Home, and any automation used is to provide information to the researchers making the decisions. That information goes far beyond deciding if a specific domain is porn, webmail, or anything else.

    0
    Comment actions Permalink
  • Avatar
    cobalt-phoenix

    "No answer to my second question?"

    I was locked out when posting it.  Now working with a different user ID for the time being.

    "OpenDNS also offers Malware/Botnet Protection, Phishing Protection, and suspicious response protection - are these not forms of automatic classification?"

    The long answer in brief: nothing of this is automatic.

    • Malware/Botnet: At this time, this feature blocks the Conficker virus and the Internet Explorer Zero Day Exploit - this is static and doesn't need additions/changes/deletions.
    • Phishing: this comes all from https://www.phishtank.com/ - a pure community effort like domain tagging.
    • Suspicious responses: This is for static private IP address ranges: 10/8, 172.16/12 and 192.168/16.  No additions/changes/deletions.

    "there is no mention that this is not used at OpenDNS"

    But it is also not mentioned that it is used at OpenDNS, right?  So you're just guessing and assuming...
    Be ensured, it is not used in OpenDNS home versions, just in Umbrella.

    0
    Comment actions Permalink
  • Avatar
    dark.soul

    I would like us to simplify work effort and reduce our work load responding one at time by putting blocks in for some top level domains.  We can do some analysis first to determine if there would be an impact.

    Right now I am interested in blocking:

    • .xyz  (7 events in FireEye)( 94 in ProofPoint last 1 week)
    • .space (0 events in FireEye)

    Several articles also reference these top level domains as being pretty much 100% Spam and Phishing.

    • .pw – this is the country of Palau, they sold their top level domain to a marketing company years ago that uses it to generate spam. (0 events in FireEye) ( 2 in ProofPoint last 1 week)
    • .faith (0 events in FireEye)
    • .website (0 events in FireEye) ( 5 in ProofPoint last 1 week)
    • .win (0 events in FireEye) ( 358 in ProofPoint last 1 week)
    • .racing (0 events in FireEye)
    • .review (0 events in FireEye)
    • .date(0 events in FireEye) ( 10 in ProofPoint last 1 week)

     The top level domains above and in BOLD are ones we do receive Spam and phishing from.  I ran Proofpoint reports and analyzed the email form those domains for the last 7 days.  Proofpoint is blocking about 90% of these emails, 10% are making it through ProofPoint and FireEye*.

     My analysis, and the Exchange Admin can confirm, is that these are currently 100% SPAM/Phish.  I recommend just blocking the top level domains and stop wasting processing time analyzing these email with our tools and/or people.

     

    I also recommend that we block these at teh network perimeter as well as there is currently no value in these top level domains for anyone but the criminals that use them.

    * Note FireEye is not a SPAM filter it specifically looks for APT and specific malicious software signatures and behavior.  If an email is a scam and not malicious software FireEye is not going to block it.

     

    0
    Comment actions Permalink
  • Avatar
    mattwilson9090

    @dark.soul Did you even read the preceding conversation? If not, it doesn't seem that your thread really is on topic. In fact, I can't even tell who this message is intended for. It sounds as if you ordering someone to do something for you, but I can't tell who that someone is.

    Regardless, you already have the capability to block any TLD you like. Just add it to your blacklist.

    0
    Comment actions Permalink
  • Avatar
    cobalt-phoenix

    "The top level domains above and in BOLD are ones we do receive Spam and phishing from."

    But you know that OpenDNS is not a service offering e-mail junk filtering, do you?  Recursive DNS is not involved in receiving e-mail at all, in no way. 
    Same as mattwilson9090, I do not understand why you posted this here at all.  You may have it posted on Facebook and Twitter maybe...

    0
    Comment actions Permalink

Please sign in to leave a comment.