upvote

points

by nickweb11 hours ago |
comments
upvoteby iamnothere11 hours ago|
next
[-]
Relying on Google for this is actually not beneficial, as discussed here many times: https://hn.algolia.com/?q=Google+safe+browsing

If the registrar tracks this information, a possibly helpful course of action would be to notify or warn the domain owner that they are on the list.

In the modern adversarial web, I do not want a registrar that proactively disables my domain because of some third party report.

reply
upvoteby forgotaccount311 hours ago|
prev|
next
[-]
> The bigger problem is the unbanning

The was my first thought as well. Yes, using the Safe Browsing list feels wrong, but I don't know enough to speak definitively in that regards. However wouldn't a relatively simple solution be that if a registrar is choosing to use some third party's list of banned DNS entries that the registrar then also implement sufficient unblocked components that will allow people to be unbanned from that third party?

> Add a DNS TXT or a CNAME record.

I haven't had a use-case for a TXT record come up yet, but isn't it low risk enough to allow domain owners to continue to configure TXT records even if the registrar wants to ban configuring other record types? Then the person in the article could prove ownership and could then get off of the third party ban list that the registrar was utilizing.

reply
upvoteby ndriscoll9 hours ago|
parent|
next
[-]
DNS can be thought of as a distributed KV store with built in caching suitable for low write high read use cases, so TXT makes sense for that. e.g. basic feature flagging can be accomplished that way with basically no work to set it up assuming you were already using DNS.
reply
upvoteby basilikum10 hours ago|
parent|
prev|
next
[-]
The registry cannot ban individual record types. That is not how DNS works.

The registry only maintains a list of NameServers associated with the domain (and records for DNSSEC zone signing). Registries have nothing to do with regular records. They only record who defines those records.

reply
upvoteby roblabla10 hours ago|
parent|
prev|
[-]
There is _some amount_ of justification to ban TXT. There have been a few cases of C2 servers using DNS to send instructions to malware, so letting TXT slip through the cracks would still allow for that.

Now whether this downside justifies the massive problem it causes on false positives...

reply
upvoteby jerf10 hours ago|
parent|
next
[-]
TXT can't be banned. There are several RFCs that require TXT records, such as DKIM configuration, DMARC configuration, and it is extensively used for verification by things like AWS SES, Microsoft Office, and all kinds of things. It's built into many standards and used by all kinds of other entities for all kinds of perfectly legitimate things.
reply
upvoteby dathinab10 hours ago|
parent|
prev|
[-]
yes, but in that cases we are on the "this (should) involve a criminal investigation" level not on a "Google Safe Search" doesn't trust you level
reply
upvoteby dathinab10 hours ago|
prev|
[-]
they didn't "just" take down the site, they took down the whole domain

Even google safe search isn't blocking you site per-se, it just adds a very annoying "this site is not safe" dialog you can "somehow" bypass (but most people wont and don't know how).

Like if this where the main site of a company (which it very much could be) this would also have taken down mail, all APIs, all Apps relying on such APIs.

so no this is absurdly unreasonable actions

that they seem to neither know nor care that this makes it impossible to "fix" false positives with google isn't helpful put this in the area of high levels of negligence which can get you into a lot of trouble in the EU

reply