Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Why Any Competing Whois Registry Model Is Doomed

Soulskill posted about 3 years ago | from the who-isn't dept.

Network 63

CowboyRobot writes "In Paul Vixie's latest essay, he argues that the alternative to the Whois registry model is flawed and that we should be learning from the mistakes of the history of proposed alternatives to the DNS. 'Any proposal for a competing Whois registry model is as doomed by design and destiny as every alternative DNS system. Even if it succeeds at first, it would fail after copycatting occurred.'"

cancel ×

63 comments

why any competing frosty piss is doomed (-1)

Anonymous Coward | about 3 years ago | (#36834790)

because I got there first.

There can be only one (-1)

Anonymous Coward | about 3 years ago | (#36834816)

It had to be said

Re:There can be only one (3, Informative)

Smallpond (221300) | about 3 years ago | (#36836174)

It had to be said

No it didn't. Everything in the internet is designed to be distributed. There is no reason why you can't have multiple DNS trees. If one maps aaa.example.com to 192.168.0.1 and the other maps it to 192.222.0.1 nothing breaks. They are just different namespaces. Go ahead and yell and scream that every domain must map to one and only one IP but the truth is that it doesn't. The internet would still function, just differently then some people expect it to. Obviously if I want to follow a link on your web page then I need to follow it in your namespace, but that's an implementation detail.

ISPs already know that multiple namespaces don't break anything. Why do you think they're all cashing in on NXDOMAIN pages?

Many companies do split horizon DNS. Internal address lookups give different views than external ones, and sometimes the same domain has different addresses.

So if an alternate DNS shows up that returns the same results as the ICANN DNS except it doesn't block access to sites that the US Gov doesn't like, then what's the problem? And if it creates a new TLD and sells addresses for half the cost of the .com addresses, what's the problem with that? People using the legacy DNS won't see the blocked addresses or the new addresses, but nothing bad happens to them.

Re: There Can Be Only One! (1)

billstewart (78916) | about 3 years ago | (#36839300)

Yes, it did have to be said. That's what top-down hierarchical naming systems are for, and why they work, in spite of early arguments like Pike&Weinberger's The Hideous Name article on Plan9's locally-based namespace, and Peter Honeyman's pathalias work that made uucp bang-paths much more scalable back when we used those, and my general anarchist ranting about not wanting to let some bunch of bureaucrats decide what I'm going to call my computers. ISPs do mostly know that multiple namespaces break things - that's why NXDOMAIN pages only get used when there's No Such Domain, and the ISPs who do that usually implement it in a way that breaks applications other than http-port-80 and maybe smtp-port-25 and they don't care.

Another reason that you can't have multiple DNS trees is that DNS contains a mechanism for fixing that - if you've got your DNS tree with aaa.example.com and Eugene has his aaa.example.com, you can both be replaced by a very small shell script that turns yours into aaa.example.com.smallpond.altroots.net and his into aaa.example.com.kashpureff.altroots.net, and suddenly you've been assimilated and there's just one namespace again.

Users want namespaces that point them to the correct place, so that somebody can say "I'm at thisdomain.com" and anybody in the world can use it, and "users" includes both the owners of the name and people using that name to retrieve content. Otherwise we need to use namespace assimilation (if we want to keep DNS syntax) or start bang-pathing everything (if we'd rather use mixed syntaxes.)

None of that means that the DNS Root should be owned by ICANN, who are a conspiracy of lizard-like aliens here to steal our water and almost totally under the control of the Trademark Gods, but breaking that requires you to defeat them all in single combat. Good luck with that (and I say that in all sincerity, but you aren't going to succeed, because they've got way more money and clout than you're going to have.)

Re: There Can Be Only One! (0)

Anonymous Coward | about 3 years ago | (#36840154)

None of that means that the DNS Root should be owned by ICANN, who are a conspiracy of lizard-like aliens here to steal our water and almost totally under the control of the Trademark Gods, but breaking that requires you to defeat them all in single combat. Good luck with that (and I say that in all sincerity, but you aren't going to succeed, because they've got way more money and clout than you're going to have.)

Does the arena contain saltpeter, coal, bamboo, and diamonds? Do I have to tear my shirt open?

Re: There Can Be Only One! (1)

Smallpond (221300) | about 3 years ago | (#36844636)

Another reason that you can't have multiple DNS trees is that DNS contains a mechanism for fixing that - if you've got your DNS tree with aaa.example.com and Eugene has his aaa.example.com, you can both be replaced by a very small shell script that turns yours into aaa.example.com.smallpond.altroots.net and his into aaa.example.com.kashpureff.altroots.net, and suddenly you've been assimilated and there's just one namespace again.

This isn't a mechanism for "fixing" anything. It is a mechanism for demonstrating exactly what I said, that multiple DNS trees can coexist on the internet.

Users want namespaces that point them to the correct place, so that somebody can say "I'm at thisdomain.com" and anybody in the world can use it, and "users" includes both the owners of the name and people using that name to retrieve content.

The correct place? You've drunk the kool-aid. Maybe you also buy star names from the International Star Registry. Of course if I want anyone in the world to connect to my domain using the "One, True, Correct, Canonical Name" then that name has to be in every nameserver. Now please tell me how I get to the domains that have been pulled out of the ICANN database by the US government, even though they are registered and reside in other countries?

Otherwise we need to use namespace assimilation (if we want to keep DNS syntax) or start bang-pathing everything (if we'd rather use mixed syntaxes.)

None of that means that the DNS Root should be owned by ICANN, who are a conspiracy of lizard-like aliens here to steal our water and almost totally under the control of the Trademark Gods, but breaking that requires you to defeat them all in single combat. Good luck with that (and I say that in all sincerity, but you aren't going to succeed, because they've got way more money and clout than you're going to have.)

It does not require defeating them in single combat. I could walk around them through the alternate root door. However they are closing that off by pushing DNSSEC so that they can have absolute control of DNS.

bad math, fake science & history dooming us (-1)

Anonymous Coward | about 3 years ago | (#36834848)

no gadgets required

should it not be considered that the domestic threats to all of us/our
freedoms be intervened on/removed, so we wouldn't be compelled to hide our
sentiments, &/or the truth, about ANYTHING, including the origins of the
hymenology council, & their sacred mission? with nothing left to hide,
there'd be room for so much more genuine quantifiable progress?

you call this 'weather'? much of our land masses are going under
water, or burning up, as we fail to consider anything at all that really
matters, as we've been instructed that we must maintain our silence (our
last valid right?), to continue our 'safety' from... mounting terror.

meanwhile, back at the raunch; there are exceptions? the unmentionable
sociopath weapons peddlers are thriving in these times of worldwide
sufferance? the royals? our self appointed murderous neogod rulers? all
better than ok, thank..... us. their stipends/egos/disguises are secure,
so we'll all be ok/not killed by mistaken changes in the MANufactured
'weather', or being one of the unchosen 'too many' of us, etc...?

truth telling & disarming are the only mathematically & spiritually
correct options. read the teepeeleaks etchings. see you there?

diaperleaks group worldwide. thanks for your increasing awareness?

DNS DB (1)

alphatel (1450715) | about 3 years ago | (#36834880)

Unless it is a distributed DNS [torrentfreak.com] without some Gov/Icann/Corporate model.

Re:DNS DB (0)

Anonymous Coward | about 3 years ago | (#36835138)

Or Namecoin [wikipedia.org] .

example.com.{torrentfreak,namecoin}.com (1)

billstewart (78916) | about 3 years ago | (#36839580)

There's certainly room in the Marketplace of Ideas for namespaces that work in ways other than hierarchies controlled by the Trademark Gods. Also, DNS is both a namespace and a delivery system for that namespace runnning on a distributed set of name servers - it's possible to run the delivery system of DNS in many different ways, and in fact we've seen a transition of most of the upper levels from conventionally-routed IP to anycast, and a wide range of different kinds of servers people use for their subdomains.

But DNS can still assimilate those namespaces into subdomains, so you end up with example.com.torrentfreak.com and 432423542345652423423deadbeef32142.namecoin.com and so on.

I dont follow (1, Troll)

Osgeld (1900440) | about 3 years ago | (#36834884)

is there really that big of a concern or is this just some essay for the sake of saying something and getting yet another "who?" name in a story

Re:I dont follow (1, Informative)

Anonymous Coward | about 3 years ago | (#36835018)

This 'who' actaully built some credibility... http://en.wikipedia.org/wiki/Paul_Vixie

Re:I dont follow (4, Insightful)

eln (21727) | about 3 years ago | (#36835188)

It's not that big of a concern, and that's the real reason any alternate DNS system is doomed to fail. Vixie's concerns with copycatting and whatnot may be justified, but the simple fact is the current system isn't painful enough for most people, even most network admins, to go to the trouble to switch to something different. Hell, IPv6 has been a standard for 15 years, and hardly anyone uses it. Sure, we'll all switch eventually when the pain of staying with IPv4 is greater than the pain of switching to IPv6. Similarly, if the pain of staying with the current whois system ever gets great enough to contemplate switching, people will do so. I don't see that happening in the foreseeable future, though.

Re:I dont follow (3, Insightful)

bill_mcgonigle (4333) | about 3 years ago | (#36835980)

Hell, IPv6 has been a standard for 15 years, and hardly anyone uses it.

But we can't deploy standards, only implementations.

Windows 7, OSX Lion, and Fedora 16 [fedoraproject.org] will all handle IPv6 properly. Previous versions all have certain problems that need workarounds, and it's probably not worthwhile for most users if there are corner cases to worry about. And if you're not on an expensive commercial Internet pipe, you can't even get IPv6, except in limited trial locations for the big ISP's.

When Windows 7 is where Windows XP is now, people will move over. But, hey, we've reached a real milestone where now it's all possible, so, yay 2011.

Vixie is wrong. (2, Insightful)

Anonymous Coward | about 3 years ago | (#36834948)

Paul and I have been disagreeing about this sort of thing for decades now.

I cannot think of a single supporting example; success breeds copycats, in all times and all places.

OK, Vix: incorporate copycatting into the technical and economic model, then, instead of insisting that the current model is the only possible one. Solve a problem instead of institutionalizing it!

Think of where we'd be if we had insisted that DNS could never work, that we'd have to always use host tables, that the download capacity of the rs.internic.net system and the maximum file size of its filesystem was the limiting factor of the size of the internet.

Free your mind! We can distribute name services in more than one way - government & corporate bottlenecks and interceptions are not a 'feature', they are a bug.

Re:Vixie is wrong. (0, Insightful)

Anonymous Coward | about 3 years ago | (#36835036)

Who the fuck is Paul Vixie.
Who the fuck are you.

Re:Vixie is wrong. (0)

Anonymous Coward | about 3 years ago | (#36835832)

what, do you have another episode?

Re:Vixie is wrong. (2)

bzipitidoo (647217) | about 3 years ago | (#36836162)

I didn't find the article convincing either. Many assertions, few pieces of evidence. May as well argue that assigning driver license numbers to people can't possibly work unless a single controlling assigner keeps order.

Seems there's a lot of dogma in the thinking of how the Internet should be managed. For instance, we could make another Internet. Instantly double the number of IPv4 addresses, since every address could be used twice. We could find some bit somewhere that we can use to distinguish them, allowing communication between the 2 Internets. Does such a proposition sound like heresy? And if we could do that, why not use a whole byte, and make 256 Internets? Or, as another example, a scheme to provide infinitely many addresses is easy. Sure, IPv6 has a huge space, but it isn't infinite and I expect that we will find so many uses we will run out sooner than anyone believes possible. Wouldn't surprise me if IPv6 doesn't even make it to 2100. A very simple way is the way C handles strings. Reserve '0' to mean the end of an IP address (what a waste reserving that for broadcasting), then we could have 192.168.1.2.3.4.5.1. ... .0. But we didn't do it because we're so stuck on the notion that packet headers have to be fixed sizes.

We are being sold "address space" as THE reason to move to IPv6, and the other reasons are so seldom mentioned one should be excused for wondering why not just make a simple modification to IPv4? IPv6 allows much larger packets, and has a simpler, more streamlined header. A pity it has such a clunky human interface. I'm really not looking forward to changing from "ping 192.168.1.1" to something like "ping ff80:1::10a0:b1aa:b1aa".

Re:Vixie is wrong. (1)

Ksevio (865461) | about 3 years ago | (#36837580)

why not just make a simple modification to IPv4?

But there never could be a "simple" modification to IPv4. Any change in the address size would still require all routers and switches to by modified to accept it.

Re:Vixie is wrong. (1)

cowboy76Spain (815442) | about 3 years ago | (#36840976)

Seems there's a lot of dogma in the thinking of how the Internet should be managed. For instance, we could make another Internet. Instantly double the number of IPv4 addresses, since every address could be used twice. We could find some bit somewhere that we can use to distinguish them, allowing communication between the 2 Internets. Does such a proposition sound like heresy?

It sounds a lot more like fantasy / magic than like heresy. As in "assign the same IP to two NICs and hope that the packets reach the right host".

Re:Vixie is wrong. (0)

Anonymous Coward | about 3 years ago | (#36837524)

I don't understand what AC said but their credentials they listed above speak volumes over Mr. Vixie. I'm also sold on the 'Free your mind' thing.

Namecoin (4, Informative)

Anonymous Coward | about 3 years ago | (#36834952)

A distributed domain name system exists. Right now. Today.

http://en.wikipedia.org/wiki/Namecoin

td;dr: Unique, abitrary and distributed (3, Informative)

vivaoporto (1064484) | about 3 years ago | (#36835008)

Here is the tl;dr version for the ones that won't read TFA:

You can't have a distributed system that creates an unique and arbitrary resource without cooperation between the peers. Without communication among them there will be duplication. People that think it is possible are fools.

Re:td;dr: Unique, abitrary and distributed (0)

Anonymous Coward | about 3 years ago | (#36835488)

Namecoin works. It is distributed, but doesn't rely on cooperation, alone. It relies on a third ledger: the distributed table.

From http://dot-bit.org/Main_Page
What is Namecoin

Namecoin is a peer-to-peer generic name/value datastore system based on Bitcoin.

It allows you to :

        Register and manage domains (.bit currently).

        Exert full control over your domains (no possible external control!).

        Trade and transact Namecoins, the digital currency NMC.

Re:td;dr: Unique, abitrary and distributed (1)

Anonymous Coward | about 3 years ago | (#36837320)

Yeah, but can I make money mining DNS entries with Namecoin. Cuz, if not, I'm not interested.

Re:td;dr: Unique, abitrary and distributed (0)

Anonymous Coward | about 3 years ago | (#36837856)

Namecoin *is* a currency. That's the whole point. It is a limited "thing" tied inextricably with its use within the DNS scheme.

Re:td;dr: Unique, abitrary and distributed (0)

Anonymous Coward | about 3 years ago | (#36835542)

I knew the whole thing was a non-argument when I saw that there was no attempt at putting the actual point of it into TFS.

Yes, there will be duplication. Just like with all other services where multiple groups compete.
So what?
It still works. Just look at e.g. mobile telephone networks. A simple per-provider prefix (or suffix) solves the whole thing.

He still failed to say why that would be bad.
Maybe he can't think far enough to think of a way to distinguish registration under different DNS providers at the user point. (After all, letting the user choose, is the whole point. So the user can say he wants provider X to resolve it, and if that one can't, use provider Y as a fallback, etc.)
But that's him being the fool.

Re:td;dr: Unique, abitrary and distributed (1)

dabridgham (814799) | about 3 years ago | (#36837376)

PGP seems to be able to create unique keys without cooperation between the peers.

Re:td;dr: Unique, abitrary and distributed (1)

marka63 (1237718) | about 3 years ago | (#36842302)

No, PGP creates probabilistic unique keys. These are not the same thing as unique keys.

Re:td;dr: Unique, abitrary and distributed (1)

Sloppy (14984) | about 3 years ago | (#36847046)

PGP keys are ridiculously unlikely to collide.

But if you're using PGP for Internet email, then you're also "cooperating" with other PGP users when you rely DNS' central authority to establish the domain name part of your email address, to build your overall PGP identity. That's the "key" (in the database sense) to the "key" (in the crypto sense).

Re:td;dr: Unique, abitrary and distributed (1)

RivenAleem (1590553) | about 3 years ago | (#36846506)

It's the Heisenberg Uncertainty Principle applied to domain name registration.

Vixie Cron (0, Flamebait)

BigHungryJoe (737554) | about 3 years ago | (#36835056)

Didn't Paul Vixie write cron? Well, if he did, then he has no credibility in my book, because cron is a flaming piece of shit.

Give me Microsoft Task Scheduler any day of the week, Paul Vixie.

"Vixie" doesn't even sound like his real name.

Re:Vixie Cron (-1)

Anonymous Coward | about 3 years ago | (#36835104)

Didn't Paul Vixie write cron? Well, if he did, then he has no credibility in my book, because cron is a flaming piece of shit.

Give me Microsoft Task Scheduler any day of the week, Paul Vixie.

"Vixie" doesn't even sound like his real name.

1/10. Try harder.

Re:Vixie Cron (-1)

Anonymous Coward | about 3 years ago | (#36835128)

You, Sir, probably are not grown-up enough to know that Paul Vixie is one of the fathers of BIND, the DNS server that runs 99% of Internet's DNS structure. And cron is quite capable in the hands of those who know. You know, Unix is picky about its friends. :-)

Re:Vixie Cron (0)

Anonymous Coward | about 3 years ago | (#36835262)

I don't know about cron, but BIND 4 and 8 were exploit ridden pieces of shit.

Re:Vixie Cron (4, Informative)

eln (21727) | about 3 years ago | (#36835150)

He also wrote BIND, which had one of the most breathtakingly awful security records of any single piece of software for many years (the years during which he was the primary author, oddly enough). For a while there, it seemed CERT was issuing advisories for some new vulnerability in BIND that would grant root access to your entire network on a daily basis.

Re:Vixie Cron (1)

Anonymous Coward | about 3 years ago | (#36835408)

You can say that about almost any software written in that time frame; security was not as high a priority back then when memory, disk, network and cpu limitations meant making real world efforts to get software working at all. And adding security into a complex product after the fact is EXTREMELY difficult compared to starting fresh.

Re:Vixie Cron (0)

Anonymous Coward | about 3 years ago | (#36835256)

... cron is a flaming piece of shit.

Give me Microsoft Task Scheduler any day of the week

Ha ha! Well done sir troll!

Re:Vixie Cron (1)

Anonymous Coward | about 3 years ago | (#36835298)

Didn't Paul Vixie write cron? Well, if he did, then he has no credibility in my book, because cron is a flaming piece of shit.

Give me Microsoft Task Scheduler any day of the week, Paul Vixie.

"Vixie" doesn't even sound like his real name.

Ho ho! What a delightful spectacle! Truly, a parody of competent trolling for the ages!

Re:Vixie Cron (0)

Anonymous Coward | about 3 years ago | (#36835456)

thank you, I'm glad somebody gets it. Makes it all worth it.

Re:Vixie Cron (0)

Anonymous Coward | about 3 years ago | (#36835462)

MS Task Scheduler is horrible (unless it's the only thing you have ever used). One of the first things I do on Windows is get a third party scheduler. As for Cron, I've used it for many, many years and it has never failed me and always allowed me to do what I wanted. I will admit that configuring it takes some patience and know-how but nothing "man crontab" can't solve.

Re:Vixie Cron (1)

MurukeshM (1901690) | about 3 years ago | (#36836334)

Whoosh!

Paul Vixie? (-1)

Anonymous Coward | about 3 years ago | (#36835120)

More like Paul Johnny-Come-Lately-To-The-Internet-Game

another example (0)

Anonymous Coward | about 3 years ago | (#36835140)

TinyUrl, another example of an internet phenomenon where great success breeds copycats, which breed confusion, which in turn breeds failure.

Time to abandon DNS as we know it. (0)

Anonymous Coward | about 3 years ago | (#36835234)

Why don't we begin with IID (International Identity) for every person living on this earth?

I propose to build a system called IIDS (International Identity System) for every person living on this earth. There are about 6 billion people living on this earth. If we use 37 alphanumeric (a,b,c,...,z,0,1,2,...,9,_), not case sensitive, we need 7 characters to cover 6 billion people. [377 is about 95 billion].

IID number is internationally unique. Let me start with my own IID : hantart, since my name is Hantarto Widjaja.

This IID can be used for very general purposes. And it'll be very useful for the future. IID treats and sets everybody equally as a person, no discriminations on race, religion, gender, nation, education level, income, age, social status, military or civil, etc. (no discrimination in all aspects).

Now, we have many identity numbers, such as our bank accounts no., student registration no., driving licence no., credit cards no., address, e-mail account, national ID no., telephone/fax/mobile phone no., etc. With IID, you just remember one thing, that is the IID. You don't need to know where someone is to call him/her.

To call someone, you do not need to dial numbers, you just dial hantart/phone. Also to e-mail me, you just type hantart/email. And other, such as hantart/fax, hantart/address, hantart/office_address, hantart/mobile_phone, hantart/homepage, etc. This idea can be extended not only to person, but also to institutions, companies, organizations, schools, universities, etc.

Let us popularize this IID system. In the future, you can communicate with everybody as easily as he/she is in front of you. The goal of this project is to connect every person in the world. People say two heads are better than one. Others say, if the thinking power of a head is ten, then thinking power of two heads is ten powered by two. And the internet is very good thing in bringing IIDS into reality.

Why whois when you already know who I is? hahaha.

Re:Time to abandon DNS as we know it. (0)

Anonymous Coward | about 3 years ago | (#36835382)

So you're saying "use facebook login for everything?" then?

And you presumably have a plan for ensuring the information associated with this IID is accurate, and that no one person uses more than one IID, and that no two people can use the same IID?

Re:Time to abandon DNS as we know it. (1)

Anonymous Coward | about 3 years ago | (#36835476)

It is more than just "login." Is like every person on Earth having static IP address and domain name that can be used for all things.

In case of IID collision we can multiplex them through 4th and 5th dimension to avoid problem.

We are all trapped in SPACE and TIME. Do we want to be like this forever?

Re:Time to abandon DNS as we know it. (1)

TangoMargarine (1617195) | about 3 years ago | (#36838682)

+1 WTF

Well, Good luck with that! (1)

billstewart (78916) | about 3 years ago | (#36838826)

I'll be amused to see your business model and your adoption rate, and your plan for making it useful for some people before convincing everybody in the world to adopt it, and your plan for dealing with privacy and spam and identity theft and spam and with people who have multiple email addresses and multiple phones and one-use email addresses to avoid spammers, and ....

And if you do manage to sell any significant number of users on wanting it, somebody's quickly going to decide to create the domain iids.com, so you'd get the domain name hantart.iids.com and user abc1234 will get the domain name abc1234.iids.com, and now you're back inside DNS.

Meanwhile, if you're giving out names, I'm Number6.

Only trust a system if it's unique?? (1)

mounthood (993037) | about 3 years ago | (#36835664)

The argument misunderstands trust; that we can only trust a single system, and we must trust it completely.

Let's assume for the purposes of argument, however, that an alternative Whois system is created and enough network operators trust it that this alternative system becomes operationally relevant and that a non-RIR resource transfer regime becomes practical. Does anybody really believe that there would be only one alternative Whois system—no copycatting? Or as in the case of alternative DNS described earlier, would not the number of potential alternative Whois systems be limited only by available capital?

(emphasis added) Duplicate systems can contain differing information, and be trusted at different levels. People do this all the time. The author's unstated premise is that the goal is 'a definitive, trusted, answer' and not some variable level of trust (or confidence) in the answer. Think Encyclopedia Britannica; not Wikipedia.

Inevitably, however, the same network would appear to be registered to different operators in different Whois systems since freedom from transfer limitations is the stated reason for the very existence of the alternative systems.

Do we trust a top-down, hierarchical system controlled by a single entity more then a distributed system based on varying levels of trust? That question has been asked and answered on the internet and we all know how it plays out.

Re:Only trust a system if it's unique?? (1)

Sloppy (14984) | about 3 years ago | (#36836618)

The author's unstated premise is that the goal is 'a definitive, trusted, answer' and not some variable level of trust (or confidence) in the answer.

Vixie didn't phrase it that way, but he didn't exactly gloss over it either. One of the things I like about the article is that he's quite explicit that he's working under the constraint that whois and DNS must be universal -- that a query must return the same result no matter where or who you are.

Universal must always imply a single definitive answer, based on completely trusting one single authority. And that one authority .. heh heh .. "arrogantly" (your word, not mine, Mr. Vixie) tolerates no competition. If alternatives to DNS or Whois are being arrogant, I wonder what that says about the system they seek to replace. :-) The very flaw shared by the rebels is the reason they're rebelling.

Sacrificing universality is a price that many people don't want to pay, and I certainly sympathise with a professional network administrator who doesn't want to give it up, even if as a user I see it as a sacrifice that otherwise solves a shitload of problems. If we keep it, though, people should indeed keep in mind the cost as well as the advantages. And an unrealistic trust model, and all the conflict that flows from that, is certainly part of that cost.

The alternative: operators growing a pair (1)

WaffleMonster (969671) | about 3 years ago | (#36835834)

Rather than just sitting back and watch as ICANN allows the demands of money to corrode an essential function of the network DNS root operators can coordinate using their leverage to effect change to ICANN and its governance.

IP addresses of the root servers to bootstrap the entire system are configured in countless millions DNS servers. What is ICANN going to do send out a memo asking the entire network to please update their root list?

There are solutions to ICANN which do not involve fragmenting the system. All that is required is for the operators with power to effect change to coordinate to send a message which can not be ignored.

Depends on your goals (1)

davidwr (791652) | about 3 years ago | (#36835934)

If your "alternative whois" is DESIGNED to balkanize the Interwebs then it will be a success by definition.

Totalitarian governments and companies or schools that want to make certain areas not only "off limits" but redirected to "their" version of the web site are no doubt doing this already.

Adware-driven bogus-dns setups likely do this as well.

Obligatory (1)

Anonymous Coward | about 3 years ago | (#36836074)

Obligatory XKCD: http://xkcd.com/927/

Opposite viewpoint (1)

karl.auerbach (157250) | about 3 years ago | (#36836420)

I have long held that competing DNS root systems *can* work - and in fact have been working for long time.

The issue is not whether there is one singular catholic DNS root, but rather the degree of consistency between competing roots.

We all accept that internet users dislike surprise - they will not like any DNS root that give surprising (or misleading or fraudulent answers). That's why any DNS root that gives surprising DNS answers will quickly be shunned.

What is intriguing about competing DNS roots is that they provide a way around ICANN and around ICANN's choices - and ICANN's fees and ICANN's trademark-over-everything-else policies.

I wrote a note on this topic some years ago - "What would the internet be like had there been no ICANN?" [cavebear.com] at http://www.cavebear.com/cbblog-archives/000331.html [cavebear.com]

Article is about IP Address sales, not DNS/WHOIS (3, Insightful)

Cerlyn (202990) | about 3 years ago | (#36836556)

I don't think many people are getting the point of this article, although I admit it is a bit confusing. While it is true that the article talks about alternative DNS systems and WHOIS; what Paul really seems concerned about is the part of the WHOIS system used to look up who is currently allowed to use a given IP address range, and is responsible for activity originating from it.

The current authorities which run this part of the WHOIS system have rules and restrictions about how and why IP address blocks on the Internet can be assigned from one party to another. Among the things cited by the article which currently are not permitted are obtaining IP address for perceived future needs when you have not already exhausted what you have, or simply buying IP addresses for no use at all speculating they can be sold for more money later.

Some parties do not like these rules, and want to establish their own system for buying and selling IP addresses which is not subject to the rules currently in place. They could kind-of do this right now, but the transfer of ownership would not be recorded in the old system.

This is potentially a bad thing, as suppose someone attacks you from IP address 1.2.3.4. And for some reason, reverse DNS on that IP address fails to work. If there is more than one system tracking ownership of who currently has the right to use this IP address, how do you find the right administrator to contact? And what if someone updated their contact information or the fact the IP block had been sold in one system, but forgot to do so in another?

Re:Article is about IP Address sales, not DNS/WHOI (2)

wrmine (1123207) | about 3 years ago | (#36841564)

This is potentially a bad thing, as suppose someone attacks you from IP address 1.2.3.4. And for some reason, reverse DNS on that IP address fails to work. If there is more than one system tracking ownership of who currently has the right to use this IP address, how do you find the right administrator to contact? And what if someone updated their contact information or the fact the IP block had been sold in one system, but forgot to do so in another?

There is another layer that is not discussed in TFA that uses whois and routing announcements to help verify routing. Routing databases like RADB are required by most BGP transit providers and all peering exchanges will use something like peerdb.com to help track their members too. The transit providers like to know where to send the bill for the bandwidth used by an IP block and peering exchanges like to enforce their rules. IP blocks are assigned to people and companies that can change locations and providers. In the attack scenario if a PRT record for the IP was not found, search for the nameserver of the reverse zone, if that is missing do a traceroute and pick the previous hop to report to the IP's provider. All Datacenter/network providers have a no abuse/spam clause in their contracts where they can disable/terminate service.

The reality is that no one can buy an IP address. They are all leased from the RIRs and IANA. The RIRs can ask for the IPs back at anytime.
BTW 192.0.2.0/24 is the IP block for examples..

P2P-WHois version .01 (0)

Anonymous Coward | about 3 years ago | (#36836764)

get your hosts files now
haha mpaa suckers

Re:P2P-WHois version .01 (0)

Anonymous Coward | about 3 years ago | (#36837810)

shh, don't speak of such things, you will summon the host file troll(s)

Re:P2P-WHois version .01 (0)

Anonymous Coward | about 3 years ago | (#36843776)

Hosts people here don't do away with DNS using hosts files. They supplement DNS' shortcomings using hosts files.

20++ benefits of HOSTS file usage... apk (0)

Anonymous Coward | about 3 years ago | (#36862418)

"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)

FROM http://tech.slashdot.org/comments.pl?sid=1907528&cid=34532122 [slashdot.org]

Now?

20++ ADVANTAGES OF HOSTS FILES OVER DNS SERVERS &/or ADBLOCK ALONE for added layered security:

1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).

2.) Bad news: ADBLOCK CAN BE DETECTED FOR: See here on that note -> http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars [arstechnica.com]

HOSTS files are NOT BLOCKABLE by websites, as was tried on users by ARSTECHNICA (and it worked, proving HOSTS files are a better solution for this because they cannot be blocked & detected for, in that manner), to that websites' users' dismay:

PERTINENT QUOTE/EXCERPT FROM ARSTECHNICA THEMSELVES:

----

An experiment gone wrong - By Ken Fisher | Last updated March 6, 2010 11:11 AM

http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars [arstechnica.com]

"Starting late Friday afternoon we conducted a 12 hour experiment to see if it would be possible to simply make content disappear for visitors who were using a very popular ad blocking tool. Technologically, it was a success in that it worked. Ad blockers, and only ad blockers, couldn't see our content."

and

"Our experiment is over, and we're glad we did it because it led to us learning that we needed to communicate our point of view every once in a while. Sure, some people told us we deserved to die in a fire. But that's the Internet!"

Thus, as you can see? Well - THAT all "went over like a lead balloon" with their users in other words, because Arstechnica was forced to change it back to the old way where ADBLOCK still could work to do its job (REDDIT however, has not, for example). However/Again - this is proof that HOSTS files can still do the job, blocking potentially malscripted ads (or ads in general because they slow you down) vs. adblockers like ADBLOCK!

----

3.) Adblock doesn't protect email programs external to FF, Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.

4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 4-7 next below).

5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, hosts do (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html [networkworld.com] for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions via NSLOOKUP, PINGS, &/or WHOIS though, regularly, so you have the correct IP & it's current)).

6.) HOSTS files protect you vs. DNS-poisoning &/or the Kaminsky flaw in DNS servers, and allow you to get to sites reliably vs. things like the Chinese are doing to DNS -> http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

7.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server & back to you).

8.) AdBlock doesn't let you block out known bad sites or servers that are known to be maliciously scripted, hosts can and many reputable lists for this exist:

GOOD INFORMATION ON MALWARE BEHAVIOR LISTING BOTNET C&C SERVERS + MORE (AS WELL AS REMOVAL LISTS FOR HOSTS):

http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]
http://someonewhocares.org/hosts/ [someonewhocares.org]
http://hostsfile.org/hosts.html [hostsfile.org]
http://hostsfile.mine.nu/downloads/ [hostsfile.mine.nu]
http://hosts-file.net/?s=Download [hosts-file.net]
https://zeustracker.abuse.ch/monitor.php?filter=online [abuse.ch]
https://spyeyetracker.abuse.ch/monitor.php [abuse.ch]
http://ddanchev.blogspot.com/ [blogspot.com]
http://www.malware.com.br/lists.shtml [malware.com.br]
http://www.stopbadware.org/ [stopbadware.org]
Spybot "Search & Destroy" IMMUNIZE feature (fortifies HOSTS files with KNOWN bad servers blocked)

And yes: Even SLASHDOT &/or The Register help!

(Via articles on security (when the source articles they use are "detailed" that is, & list the servers/sites involved in attempting to bushwhack others online that is... not ALL do!)).

2 examples thereof in the past I have used, & noted it there, are/were:

http://it.slashdot.org/comments.pl?sid=1898692&cid=34473398 [slashdot.org]
http://it.slashdot.org/comments.pl?sid=1896216&cid=34458500 [slashdot.org]

9.) AdBlock & DNS servers are programs, and subject to bugs programs can get. Hosts files are merely a filter and not a program, thus not subject to bugs of the nature just discussed.

10.) Hosts files don't eat up CPU cycles like AdBlock does while it parses a webpages' content, nor as much as a DNS server does while it runs. HOSTS file are merely a FILTER for the kernel mode/PnP TCP/IP subsystem, which runs FAR FASTER & MORE EFFICIENTLY than any ring 3/rpl3/usermode app can.

11.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] ) & edited too, via texteditors like Windows notepad.exe or Linux nano (etc.)

12.) With Adblock you had better be able to code javascript to play with its code. With hosts you don't even need source to control it (edit, update, delete, insert of new entries via a text editor).

13.) Hosts files are easily secured via using MAC/ACL &/or Read-Only attributes applied.

14.) Custom HOSTS files also speed you up, unlike anonymous proxy servers systems variations (like TOR, or other "highly anonymous" proxy server list servers typically do, in the severe speed hit they often have a cost in) either via "hardcoding" your fav. sites into your hosts file (avoids DNS servers, totally) OR blocking out adbanners - see this below for evidence of that:

---

US Military Blocks Websites To Free Up Bandwidth:

http://yro.slashdot.org/story/11/03/16/0416238/US-Military-Blocks-Websites-To-Free-Up-Bandwidth [slashdot.org]

(Yes, even the US Military used this type of technique... because IT WORKS! Most of what they blocked? Ad banners ala doubleclick etc.)

---

ADBANNERS SLOW DOWN THE WEB: -> http://tech.slashdot.org/article.pl?sid=09/11/30/166218 [slashdot.org]

and people do NOT LIKE ads on the web:

---

PEOPLE DISLIKE ADBANNERS: http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org]

---

ADBANNERS SLOW DOWN THE WEB:

http://tech.slashdot.org/article.pl?sid=09/11/30/166218 [slashdot.org]

---

Advertising Network Caught History Stealing:

http://yro.slashdot.org/story/11/07/22/156225/Advertising-Network-Caught-History-Stealing [slashdot.org]

---

15.) HOSTS files usage lets you avoid being charged on some ISP/BSP's (OR phone providers) "pay as you use" policy http://yro.slashdot.org/story/10/12/08/2012243/FCC-Approving-Pay-As-You-Go-Internet-Plans [slashdot.org] , because you are using less bandwidth (& go faster doing so no less) by NOT hauling in adbanner content and processing it (which can lead to infestation by malware/malicious script, in & of itself -> http://apcmag.com/microsoft_apologises_for_serving_malware.htm [apcmag.com] ).

16.) If/when ISP/BSP's decide to go to -> FCC Approving Pay-As-You-Go Internet Plans: http://yro.slashdot.org/story/10/12/08/2012243/FCC-Approving-Pay-As-You-Go-Internet-Plans [slashdot.org] your internet bill will go DOWN if you use a HOSTS file for blocking adbanners as well as maliciously scripted hacker/cracker malware maker sites too (after all - it's your money & time online downloading adbanner content & processing it)

Plus, your adbanner content? Well, it may also be hijacked with malicious code too mind you:

---

Ad networks owned by Google, Microsoft serve malware:

http://www.theregister.co.uk/2010/12/13/doubleclick_msn_malware_attacks/ [theregister.co.uk]

---

Attacks Targeting Classified Ad Sites Surge:

http://it.slashdot.org/story/11/02/02/1433210/Attacks-Targeting-Classified-Ad-Sites-Surge [slashdot.org]

---

Hackers Respond To Help Wanted Ads With Malware:

http://it.slashdot.org/story/11/01/20/0228258/Hackers-Respond-To-Help-Wanted-Ads-With-Malware [slashdot.org]

---

Hackers Use Banner Ads on Major Sites to Hijack Your PC:

http://www.wired.com/techbiz/media/news/2007/11/doubleclick [wired.com]

---

Ruskie gang hijacks Microsoft network to push penis pills:

http://www.theregister.co.uk/2010/10/12/microsoft_ips_hijacked/ [theregister.co.uk]

---

Major ISPs Injecting Ads, Vulnerabilities Into Web:

http://it.slashdot.org/it/08/04/19/2148215.shtml [slashdot.org]

---

Users Know Advertisers Watch Them, and Hate It:

http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org]

---

Two Major Ad Networks Found Serving Malware:

http://tech.slashdot.org/story/10/12/13/0128249/Two-Major-Ad-Networks-Found-Serving-Malware [slashdot.org]

---

THE NEXT AD YOU CLICK MAY BE A VIRUS:

http://it.slashdot.org/story/09/06/15/2056219/The-Next-Ad-You-Click-May-Be-a-Virus [slashdot.org]

---

NY TIMES INFECTED WITH MALWARE ADBANNER:

http://news.slashdot.org/article.pl?sid=09/09/13/2346229 [slashdot.org]

---

MICROSOFT HIT BY MALWARES IN ADBANNERS:

http://apcmag.com/microsoft_apologises_for_serving_malware.htm [apcmag.com]

---

ISP's INJECTING ADS AND ERRORS INTO THE WEB: -> http://it.slashdot.org/it/08/04/19/2148215.shtml [slashdot.org]

---

ADOBE FLASH ADS INJECTING MALWARE INTO THE NET: http://it.slashdot.org/article.pl?sid=08/08/20/0029220&from=rss [slashdot.org]

---

London Stock Exchange Web Site Serving Malware:

http://www.securityweek.com/london-stock-exchange-web-site-serving-malware [securityweek.com]

---

Spotify splattered with malware-tainted ads:

http://www.theregister.co.uk/2011/03/25/spotify_malvertisement_attack/ [theregister.co.uk]

---

As my list "multiple evidences thereof" as to adbanners & viruses + the fact they slow you down & cost you more (from reputable & reliable sources no less)).

17.) Per point #16, a way to save some money: ANDROID phones can also use the HOSTS FILE TO KEEP DOWN BILLABLE TIME ONLINE, vs. adbanners or malware such as this:

---

Infected Androids Run Up Big Texting Bills:

http://it.slashdot.org/story/11/03/01/0041203/Infected-Androids-Run-Up-Big-Texting-Bills [slashdot.org]

---

It's easily done too, via the ADB dev. tool, & mounting ANDROID OS' system mountpoint for system/etc as READ + WRITE/ADMIN-ROOT PERMISSIONS, then copying your new custom HOSTS over the old one using ADB PULL/ADB PUSH to do so (otherwise ANDROID complains of "this file cannot be overwritten on production models of this Operating System", or something very along those lines - this way gets you around that annoyance along with you possibly having to clear some space there yourself if you packed it with things!).

18.) Adblock blocks ads in only 1-2 browser family, but not all (Disclaimer: Opera now has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc.).

19.) Even WIKILEAKS "favors" blacklists (because they work, and HOSTS can be a blacklist vs. known BAD sites/servers/domain-host names):

---

PERTINENT QUOTE/EXCERPT (from -> http://www.theregister.co.uk/2010/12/16/wikileaks_mirror_malware_warning_row/ [theregister.co.uk] )

"we are in favour of 'Blacklists', be it for mail servers or websites, they have to be compiled with care... Fortunately, more responsible blacklists, like stopbadware.org (which protects the Firefox browser)...

---

20.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - you might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own (such as has been seen with the RBN (Russian Business Network) lately though it was considered "dead", other malwares are using its domains/hostnames now, & this? This stops that cold, too - Bonus!)...

Still - It's a GOOD idea to layer in the usage of BOTH browser addons for security like adblock, &/or NoScript (especially this one, as it covers what HOSTS files can't in javascript which is the main deliverer of MOST attacks online & SECUNIA.COM can verify this for anyone really by looking @ the past few years of attacks nowadays), for the concept of "layered security"....

It's just that HOSTS files offer you a LOT MORE gains than Adblock does alone (as hosts do things adblock just plain cannot & on more programs, for more speed, security, and "stealth" to a degree even), and it corrects problems in DNS (as shown above via hardcodes of your favorite sites into your HOSTS file, and more (such as avoiding DNS request logs)).

ALSO - Some more notes on DNS servers & their problems, very recent + ongoing ones:

BIND vs. what the Chinese are doing to DNS lately? See here:

http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org]

---

SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:

http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/ [theregister.co.uk]

(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)

---

DNS vs. the "Kaminsky DNS flaw", here (and even MORE problems in DNS than just that):

http://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/ [scmagazineus.com]

(Seems others are saying that some NEW "Bind9 flaw" is worse than the Kaminsky flaw ALONE, up there, mind you... probably corrected (hopefully), but it shows yet again, DNS hassles (DNS redirect/DNS poisoning) being exploited!)

---

Moxie Marlinspike's found others (0 hack) as well...

Nope... "layered security" truly IS the "way to go" - hacker/cracker types know it, & they do NOT want the rest of us knowing it too!...

(So until DNSSEC takes "widespread adoption"? HOSTS are your answer vs. such types of attack, because the 1st thing your system refers to, by default, IS your HOSTS file (over say, DNS server usage). There are decent DNS servers though, such as OpenDNS, ScrubIT, or even GOOGLE DNS, & because I cannot "cache the entire internet" in a HOSTS file? I opt to use those, because I have to (& OpenDNS has been noted to "fix immediately", per the Kaminsky flaw, in fact... just as a sort of reference to how WELL they are maintained really!)

---

DNS provider decked by DDoS dastards:

http://www.theregister.co.uk/2010/11/16/ddos_on_dns_firm/ [theregister.co.uk]

---

Ten Percent of DNS Servers Still Vulnerable: (so much for "conscientious patching", eh? Many DNS providers weren't patching when they had to!)

http://it.slashdot.org/it/05/08/04/1525235.shtml?tid=172&tid=95&tid=218 [slashdot.org]

---

DDoS Attacks Via DNS Recursion:

http://it.slashdot.org/it/06/03/16/1658209.shtml [slashdot.org]

---

DNS ROOT SERVERS ATTACKED:

http://it.slashdot.org/it/07/02/06/2238225.shtml [slashdot.org]

---

TimeWarner DNS Hijacking:

http://tech.slashdot.org/article.pl?sid=07/07/23/2140208 [slashdot.org]

---

DNS Re-Binding Attacks:

http://crypto.stanford.edu/dns/ [stanford.edu]

---

DNS Server Survey Reveals Mixed Security Picture:

http://it.slashdot.org/it/07/11/21/0315239.shtml [slashdot.org]

---

Photobucket's DNS records hijacked by Turkish hacking group:

http://www.zdnet.com/blog/security/title/1285 [zdnet.com]

---

Halvar figured out super-secret DNS vulnerability:

http://www.zdnet.com/blog/security/has-halvar-figured-out-super-secret-dns-vulnerability/1520 [zdnet.com]

---

BIND Still Susceptible To DNS Cache Poisoning:

http://tech.slashdot.org/tech/08/08/09/123222.shtml [slashdot.org]

---

DNS Poisoning Hits One of China's Biggest ISPs:

http://it.slashdot.org/it/08/08/21/2343250.shtml [slashdot.org]

---

HOWEVER - Some DNS servers are "really good stuff" vs. phishing, known bad sites/servers/hosts-domains that serve up malware-in-general & malicious scripting, botnet C&C servers, & more, such as:

Norton DNS -> http://nortondns.com/ [nortondns.com]
ScrubIT DNS -> http://www.scrubit.com/ [scrubit.com]
OpenDNS -> http://www.opendns.com/ [opendns.com]

HOWEVER - There's ONLY 1 WEAKNESS TO ANY network defense, including HOSTS files (vs. host-domain name based threats) & firewalls (hardware router type OR software type, vs. IP address based threats): Human beings, & they not being 'disciplined' about the indiscriminate usage of javascript (the main "harbinger of doom" out there today online), OR, what they download for example... & there is NOTHING I can do about that! (Per Dr. Manhattan of "The Watchmen", ala -> "I can change almost anything, but I can't change human nature")

HOWEVER AGAIN - That's where NORTON DNS, OpenDNS, &/or ScrubIT DNS help!

(Especially for noob/grandma level users who are unaware of how to secure themselves in fact, per a guide like mine noted above that uses "layered-security" principles!)

ScrubIT DNS, &/or OpenDNS are others alongside Norton DNS (adding on phishing protection too) as well!

( & it's possible to use ALL THREE in your hardware NAT routers, and, in your Local Area Connection DNS properties in Windows, for again, "Layered Security" too)...

---

SLASHDOT USERS EXPERIENCING SUCCESS USING HOSTS FILES QUOTED VERBATIM:

---

"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)

"I also use the MVPS ad blocking hosts file." - by Rick17JJ (744063) on Wednesday January 19, @03:04PM (#34931482)

"I use ad-Block and a hostfile" - by Ol Olsoc (1175323) on Tuesday March 01, @10:11AM (#35346902)

"^^ One of the many reasons why I like the user-friendliness of the /etc/hosts file." - by lennier1 (264730) on Saturday March 05, @09:26PM (#35393448)

"I use a custom /etc/hosts to block ads... my file gets parsed basically instantly ... So basically, for any modern computer, it has zero visible impact. And even if it took, say, a second to parse, that would be more than offset by the MANY seconds saved by not downloading and rendering ads. I have noticed NO ill effects from running a custom /etc/hosts file for the last several years. And as a matter of fact I DO run http servers on my computers and I've never had an /etc/hosts-related problem... it FUCKING WORKS and makes my life better overall." - by sootman (158191) on Monday July 13 2009, @11:47AM (#28677363) Homepage Journal

"I do use Hosts, for a couple fake domains I use." - by icebraining (1313345) on Saturday December 11, @09:34AM (#34523012) Homepage

"They've been on my HOSTS block for years" - by ScottCooperDotNet (929575) on Thursday August 05 2010, @01:52AM (#33147212)

"Better than an ad blocker, imo. Hosts file entries: http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] [mvps.org]" - by TempestRose (1187397) on Tuesday March 15, @12:53PM (#35493274)

"I'm currently only using my hosts file to block pheedo ads from showing up in my RSS feeds and causing them to take forever to load. Regardless of its original intent, it's still a valid tool, when used judiciously." - by Bill Dog (726542) on Monday April 25, @02:16AM (#35927050) Homepage Journal

"you're right about hosts files" - by drinkypoo (153816) on Thursday May 26, @01:21PM (#36252958) Homepage

"put in your /etc/hosts:" - by Anonymous Coward on Friday December 03, @09:17AM (#34429688)

---

Then, there is also the words of respected security expert, Mr. Oliver Day, from SECUNIA.COM to "top that all off" as well:

A RETURN TO THE KILLFILE:

http://www.securityfocus.com/columnists/491 [securityfocus.com]

Some "PERTINENT QUOTES/EXCERPTS" to back up my points with (for starters):

---

"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet -- particularly browsing the Web -- is actually faster now."

Speed, and security, is the gain... others like Mr. Day note it as well!

---

"From what I have seen in my research, major efforts to share lists of unwanted hosts began gaining serious momentum earlier this decade. The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."

Per my points exactly, no less... & guess who was posting about HOSTS files a 14++ yrs. or more back & Mr. Day was reading & now using? Yours truly (& this is one of the later ones, from 2001 http://www.furtherleft.net/computer.htm [furtherleft.net] (but the example HOSTS file with my initials in it is FAR older, circa 1998 or so) or thereabouts, and referred to later by a pal of mine who moderates NTCompatible.com (where I posted on HOSTS for YEARS (1997 onwards)) -> http://www.ntcompatible.com/thread28597-1.html [ntcompatible.com] !

---

"Shared host files could be beneficial for other groups as well. Human rights groups have sought after block resistant technologies for quite some time. The GoDaddy debacle with NMap creator Fyodor (corrected) showed a particularly vicious blocking mechanism using DNS registrars. Once a registrar pulls a website from its records, the world ceases to have an effective way to find it. Shared host files could provide a DNS-proof method of reaching sites, not to mention removing an additional vector of detection if anyone were trying to monitor the use of subversive sites. One of the known weaknesses of the Tor system, for example, is direct DNS requests by applications not configured to route such requests through Tor's network."

There you go: AND, it also works vs. the "KAMINSKY DNS FLAW" & DNS poisoning/redirect attacks, for redirectable weaknesses in DNS servers (non DNSSEC type, & set into recursive mode especially) and also in the TOR system as well (that lends itself to anonymous proxy usage weaknesses I noted above also) and, you'll get to sites you want to, even IF a DNS registrar drops said websites from its tables as shown here Beating Censorship By Routing Around DNS -> http://yro.slashdot.org/story/10/12/09/1840246/Beating-Censorship-By-Routing-Around-DNS [slashdot.org] & even DNSBL also (DNS Block Lists) -> http://en.wikipedia.org/wiki/DNSBL [wikipedia.org] as well - DOUBLE-BONUS!

APK

P.S.=> SOME MINOR "CAVEATS/CATCH-22's" - things to be aware of for "layered security" + HOSTS file performance - easily overcome, or not a problem at all:

A.) HOSTS files don't function under PROXY SERVERS (except for Proximitron, which has a filter that allows it) - Which is *the "WHY"* of why I state in my "P.S." section below to use both AdBlock type browser addon methods (or even built-in block lists browsers have such as Opera's URLFILTER.INI file, & FireFox has such as list as does IE also) in combination with HOSTS, for the best in "layered security" (alongside .pac files + custom cascading style sheets that can filter off various tags such as scripts or ads etc.) - but proxies, especially "HIGHLY ANONYMOUS" types, generally slow you down to a CRAWL online (& personally, I cannot see using proxies "for the good" typically - as they allow "truly anonymous posting" & have bugs (such as TOR has been shown to have & be "bypassable/traceable" via its "onion routing" methods)).

B.) HOSTS files do NOT protect you vs. javascript (this only holds true IF you don't already have a bad site blocked out in your HOSTS file though, & the list of sites where you can obtain such lists to add to your HOSTS are above (& updated daily in many of them)).

C.) HOSTS files (relatively "largish ones") require you to turn off Windows' native "DNS local client cache service" (which has a problem in that it's designed with a non-redimensionable/resizeable list, array, or queue (DNS data loads into a C/C++ structure actually/afaik, which IS a form of array)) - mvps.org covers that in detail and how to easily do this in Windows (this is NOT a problem in Linux, & it's 1 thing I will give Linux over Windows, hands-down). Relatively "smallish" HOSTS files don't have this problem (mvps.org offers 2 types for this).

D.) HOSTS files, once read/loaded, once GET CACHED, for speed of access/re-access (@ system startup in older MS OS' like 2000, or, upon a users' 1st request that's "Webbound" via say, a webbrowser) gets read into either the DNS local caching client service (noted above), OR, if that's turned off? Into your local diskcache (like ANY file is), so it reads F A S T upon re-reads/subsequent reads (until it's changed in %WinDir%\system32\drivers\etc on Windows, which marks it "Dirty" & then it gets re-read + reloaded into the local diskcache again). This may cause a SMALL lag upon reload though, depending on the size of your HOSTS file.

E.) HOSTS files don't protect vs. BGP exploits - Sorry, once it's out of your hands/machine + past any interior network + routers you have, the packets you send are out there into the ISP/BSP's hands - they're "the Agents" holding all the keys to the doorways at that point (hosts are just a forcefield-filter (for lack of a better description) armor on what can come in mostly, & a bit of what can go out too (per point 18 above on "locking in malware")). Hosts work as a "I can't get burned if I can't go into the kitchen" protection, for you: Not your ISP/BSP. It doesn't extend to them

F.) HOSTS files don't protect vs. IP addressed adbanners (rare) &/or IP address utilizing malwares (rare too, most used domain/host names because they're "RECYCLABLE/REUSEABLE"), so here, you must couple HOSTS files w/ firewall rules tables (either in software firewalls OR router firewall rules table lists)... apk

Or is the real reason that Mr. Vixie's DNS (0)

Anonymous Coward | about 3 years ago | (#36842074)

will be supplanted by something else and he fears this more than anything else? Think about it.

Competition=Arrogance? (1)

DASHWORLDS (1951110) | about 3 years ago | (#36843948)

From such a well respected author, the suggestion that some competition should be classed as arrogance comes as a surprise to say the least. The world is no longer a Pangaea; it fragmented a long time ago. The one stop shop Pangaea has become a group of competing countries all with various agenda, all contactable using the same telephone numbers, but of course via different country codes. The DNS is following the same path. Competition is to be expected, yet the aim is not always to smash the opponent. Sometimes it’s there to add intrinsic value (whether or not the other side chooses to see it that way). With the DNS for example, as well as Dotcoms, there are now Dashcoms. Yes, success breeds copycats. It has also been known to breed evolution, innovation and improvement.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...