Re: [GTALUG] CIRA officially launches free DNS firewall for consumers | IT World Canada News
On 4/28/20 9:16 AM, ac wrote:
On Tue, 28 Apr 2020 08:13:11 -0400 Alvin Starr <alvin@netvel.net> wrote: <snip so many cool things around here somewhere>
How about DNS over TOR?
as usual, LOVE the way you think :)
How about just plain old DNSSEC? (instead of a nanny) - yay, IT Works! - and is so mature already...(without all the risks of having/using a nanny) I thought DNSSEC was more to secure the content of the query and not the communication channel. But I my DNSSEC knowledge is spotty at best.
and using connectivity providers (instead of third parties and dns over https) -- for caching/recursive, like Bell (Bell CA actually does not track/record/monetise their users DNS querries afaik)
All the Canadian carriers will always work to maximize their profit because they are obligated to by their shareholders. So always assume they are monetizing anything they can even in the face of public denials. They all perform deep packet inspection so assume anything the is in the clear will be monetized. I am not saying they are evil. Its just that their profit motive may not be in the end users best interest.
Problems all solved?
my further opinions are that any "nanny" type "free" service where someone else decides what and where i may or may not go or what i may or may not see, needs to be either well regulated/controlled/open/published/etc or simply not be accepted... Sometimes nannies are good things. yes, nannies are 'sometimes' good things, but for some people BAD nannies are sometimes even better :)
Are you thinking of the Nanny from Queen's Fat Bottomed Girls?
People without the wherewithal or interest in managing their own security likely are in need of a nanny.
again, dnssec already protects users, it just needs wider adoption, which is the issue.. .as for "shared" domains like outlook.com - abuse management costs will increase? - which is probably why dnssec has never caught on, it is not "sexy" (like some nannies...)
I have had mixed luck with DNSSEC from the point of view of internal implementation and have fallen back to SEC-less. As a side story. DNS(bind) has been SO reliable over the years that people have not upgraded their software. A month or so ago a few customers had their DNS partly break because the old DNSSEC root keys were removed. The solution was to turn off DNSSEC till they were able to upgrade the software.
anyway, i am probably a minority as i also do not like/use/support very popular and world dominating services such as 'whatsapp' and i do not tweet or post photos of my food on insta and i have zero tiktok vids I have a feeling your take is not a minority on this list. ooh, warm & fuzzies to you too, I have a home *sigh* :)
Ya. Safe at home some times feels like locked in trying to avoid the zombie apocalypse. -- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
On Tue, 28 Apr 2020 10:02:39 -0400 Alvin Starr <alvin@netvel.net> wrote: <snip snip>
Sometimes nannies are good things. yes, nannies are 'sometimes' good things, but for some people BAD nannies are sometimes even better :) Are you thinking of the Nanny from Queen's Fat Bottomed Girls?
roflmao
People without the wherewithal or interest in managing their own security likely are in need of a nanny. again, dnssec already protects users, it just needs wider adoption, which is the issue.. .as for "shared" domains like outlook.com - abuse management costs will increase? - which is probably why dnssec has never caught on, it is not "sexy" (like some nannies...)
I have had mixed luck with DNSSEC from the point of view of internal implementation and have fallen back to SEC-less.
it has always served me well enough and I have written some implementation papers some years ago... I am sooo lazy I also wrote a whole bunch of programs that does everything for me automagically. so it just works and keeps on working (it also does the epp & everything with the registry.. on some tld the epp/xml/whatever to the registrar - if I am not the registrar) - yep, I am ultimately SUPER lazy...
As a side story. DNS(bind) has been SO reliable over the years that people have not upgraded their software. A month or so ago a few customers had their DNS partly break because the old DNSSEC root keys were removed. The solution was to turn off DNSSEC till they were able to upgrade the software.
anyway, i am probably a minority as i also do not like/use/support very popular and world dominating services such as 'whatsapp' and i do not tweet or post photos of my food on insta and i have zero tiktok vids I have a feeling your take is not a minority on this list. ooh, warm & fuzzies to you too, I have a home *sigh* :)
Ya. Safe at home some times feels like locked in trying to avoid the zombie apocalypse.
soon, very soon, we shall be released from captivity - at least your geo is less restrictive than mine. mine has guns and no roses :)
participants (2)
-
ac -
Alvin Starr