
Sonic.net implements DNSSEC, performs MITM against customers - rosser
http://permalink.gmane.org/gmane.comp.encryption.general/21150
======
Animats
Sonic has been doing that for a year. All they're doing is applying a
blacklist at their DNS servers. Unlike OpenDNS and Google, they don't divert
DNS no-finds to ads. It is annoying, though, that they don't clearly identify
who's displaying that message and why.

Sonic has an alternative DNS server without this feature (at 75.101.19.196 or
75.101.19.228), which is useful if you're testing things that need to see
phishing sites.

~~~
Someone1234
While OpenDNS does do the redirect thing (It can be turned off), Google have
never done that and even state quite expressly that they don't in the Google
DNS FAQ:

[https://developers.google.com/speed/public-
dns/faq#nxdomains](https://developers.google.com/speed/public-
dns/faq#nxdomains)

So if you've been redirected while using Google's DNS then I strongly urge you
to check your systems for malware.

edit: OpenDNS may have discontinued it:
[https://en.wikipedia.org/wiki/OpenDNS#Discontinued_Advertisi...](https://en.wikipedia.org/wiki/OpenDNS#Discontinued_Advertising)

------
tedivm
The forum post referenced in the email was posted on March 14th, meaning that
this has been going on for awhile. Have they done anything in the meantime to
improve the usability of this or present DNSSEC enabled services that do not
have this man in the middle action going on?

Done right this can be a really good service- malware that takes advantage of
cutting edge exploits (combined with computers that get updated slowly if at
all) can be hard to block if it isn't being cut off at it's source, and a
company proactively protecting their customers can be a very good thing.
However, to do that right requires a few important steps-

1\. Notifying the customer of what is happening. This is a huge fail since
they give their customers no notice of what company is actually doing it.

2\. Instructions to report false positives. They're not even saying who they
are, so there's clearly no easy way to report false positives.

3\. A commitment to only blocking active exploits. They shouldn't be censors,
they should only be blocking things that can actually cause damage. The fact
that they're blocking political and financial sites due to social engineering
is clearly problematic.

4\. Finally, they should add a way to get around the block. This is
unfortunately a difficult thing to do with DNS based blocking and I'd be
willing to cut them some slack on this if they could make up for it by rigid
standards of damage and a fast false positive response.

When my team managed the blocklist that mbam uses we had to deal with this
kind of stuff, but overall it worked really well and as time went on more
features were added to the product to make sure customers had control. This
type of service can be done right, but when it's not I feel it can do far more
harm than good as people abandon security because of the perceived
inconvenience that's really just a shitty product.

------
charonn0
I've been a Sonic subscriber for a few years now and I'm configured to use the
affected DNS servers, but I've never encountered a block and I don't really
see the problem (aside from not branding the block page.)

------
phusion
Hrmm this is depressing, I was a Sonic customer back in '97 when they first
opened, along with the public Internet.

They always win 5 stars from the EFF for privacy, is this really as bad as it
seems?

------
warthcorp
In my opinion, 1&1 Internet should be on the Black list.

