DNS

  • domainname collision : the coming plaque and what to do about it

    so Icann who is mainly responsable for this because she refused to listen to the security community and sold several of the domainextensions that were untill now soleley used for internal networks like .intra has now put together a whole resource about domainname collision

    which is nice - but doesn't excuse her for taking this decision in the first place

    source

    "A name collision occurs when an attempt to resolve a name used in a private name space (e.g. under a non-delegated Top-Level Domain, or a short, unqualified name) results in a query to the public Domain Name System (DNS). When the administrative boundaries of private and public namespaces overlap, name resolution may yield unintended or harmful results.

     

    Name collisions are not new. The introduction of any new domain name into the DNS, whether a generic TLD, country code TLD or second-level domain name, creates the potential for name collision. However, queries for un-delegated TLDs at the root level of the DNS have received renewed attention because certain applied-for new TLD strings could be identical to name labels used in private networks. A secure, stable and resilient Internet is ICANN's number one priority. Therefore, we've made a commitment to the Internet community to launch a substantial effort to mitigate and manage name collision occurrence
    https://www.icann.org/resources/pages/name-collision-2013-12-06-en#resources

    the problem is that many purely internal networks with networknames will now sometimes have problems because the same domainname has been sold to someone else (for example bayer.intra can exist hidden and on the web)

  • warning to national DNS operators : you are a target

    there was no defacement of Google in Paraguay but the people were sent to a page that looked like a defacement

    "Mormoroth published a number of screenshots to demonstrate that he had gained access to NIC.py’s backend systems. He leaked some user credentials and other information stolen from the site’s databases.

    In a blog post on ha.cker.ir, the hacker has explained that he has leveraged a remote code execution (RCE) vulnerability to breach NIC.py.
    http://news.softpedia.com/news/Google-Paraguay-Hijacked-via-NIC-py-Hack-429228.shtml

    This means that national DNS operators should take more care about the security of their operations and networks

  • DNS Sec amplifies even more a DNS amplification DDOS attack

    Although a security initiative aimed at making DNS more secure exists — DNSSEC — it does not necessarily address the issue of spoofed source addresses. DNS requests and responses typically use the UDP protocol, rather than the TCP protocol. The latter requires a three-way handshake to establish a channel and confirm with the machine it is talking to that it did, in fact, initiate a connection. The former, however, does not.

     

    Instead of being an issue that DNSSEC might solve, it is actually a transport protocol problem that has little to do with the additional security measures that DNSSEC might offer. However, as Cloudflare and others have pointed out in the past, DNSSEC can make the issue worse, as the additional keys required to authenticate records further increases the magnitude of amplification that an attacker has access to.
    http://www.zdnet.com/the-largest-ddos-attack-didnt-break-the-internet-but-it-did-try-7000013225/

    the domainextension .be uses dnssec .......

    what are the risks of that because if we or its installations become a target or are used against a target .....

  • according to netcraft Belgium is one of the best places to have your phishing site

    yep, we are one of the only countries in the world where it seems to take ages before we eventually will get a phishing site down

    even China does better

    and time is money because a phishing site makes it money in the 4 hours after it has been launched and people are being redirected to it through false emails and links

    http://toolbar.netcraft.com/stats/takedown

    look at the only orange spot on continental Europe (yep Greece also but Greece is broke)

     

  • domainregistration services can't say there is no service to alarm them for phishing domains

    The service computes a registration risk score for a proposed domain, which gives a measure of the likelihood that this candidate domain may be used to host a phishing attack. We do this by using the results of two algorithms:

     

    • The first algorithm, Phish target score compares the candidate domain to each of the frequently-phished legitimate domains we have on record. This comparison is done on a per-character basis, and the score is formed by looking at the minimum set of edits required to map from one to the other. The algorithm recognises certain tricks commonly used in domain names to deceive victims, such as double letters (paaypal.com) or confusing characters or combinations of characters (paypa1.com). We also check against a list of deceptive prefixes and suffixes that are frequently used by phishing sites, including signin and verify. As well as using a set of fixed rules, this algorithm also retains the flexibility to match new mappings and edits that have not been seen before. Using the suggested cut-off of a minimum score of 5/10, this method identifies 278 (12.7%) out of the 2,191 phishing domains currently blocked by Netcraft.
    • The second algorithm, String entropy score, works entirely differently. Many phishing domains in our database are essentially random strings of alphanumeric digits, yet very few legitimate sites follow this pattern. The string entropy test looks to see if a domain looks like a combination of real dictionary words and plausible names, or whether it looks more like a randomised string. The higher the score, the more random a string appears to be. Although most dictionary strings score zero, the suggested cut-off is a minimum score of 5/10; any domain scoring higher than this is very likely to be random, but below this score false positives are increasingly likely. Using the suggested cut-off identifies 474 (21.6%) of the 2,191 identified phishing domains and these are substantially non-overlapping with those domains spotted by the first method

    http://www.netcraft.com/anti-phishing/domain-registration-risk/

    They always say 'Me, I know nothing, I do nothing' but this is not true

    off course you could use common sense and block already for example 100 words that shouldn't be used in any domainname because they will always create not only confusion but also a financial risk (a site like mypaypal.biz is a phishingsite for paypal without any question)

    but as a business they would like to have some formal objective reason not hold a domainregistration and this (not free) checking service by netcraft is only one of the different services that will help them to do this

    off course it should be necessary for all the domainregistration services (also the thousand new ones) to use this service at least for the financial services and social media

  • why dns.be needs to keep its guard up all the time and monitor botnet authority

    If a domainname is clearly only and solely used as a botnet operator

    if it is clear that there is no website or webservice other than that

    if it is clear that the registration details are so fake as the name

    than botnetsites with .be extensions should be blackholed immediately if different resources confirm all these

    http://www.exposedbotnets.com/2013/09/fackestructurbe-warbot-http-botnet.html

    Google safebrowsing  says it is clean

    and they seem to have taken the (in fact very old) botnets that were active on the page down

    but this doesn't change a thing because it is still active and can be re-used for such activity at any time

    it was being used for botnet-operations and the probability that it will again is very high

    because they have already set-up a new operation on a new page 

  • everybody becomes a dns operator to circumvent censorship says piratebay

    after the piratebrowser the people behind piratebay have another much greater project

    "in other words, when users load The Pirate Bay or any other site that joins the new platform, the site’s data will be shared among users and stored locally. The website doesn’t require a public facing portal and only needs minimal resources to “seed” the site’s files to the rest of the world.

     

    “It’s basically a browser-like app that uses webkit to render pages, BitTorrent to download the content while storing everything locally,” the Pirate Bay insider says.

     

    All further site updates are incremental, so people don’t end up downloading the entire site day after day. The disk space users need for the locally stored sites ranges from a few dozen megabytes for a small site, to several gigabytes for a larger torrent index.The new software will be released as a standalone application as well as Firefox and Chrome plugins.

     

    Since the site data comes from other peers, there is no central IP-address that can be blocked by Internet providers. Site owners will still offer webseeds to speed up loading, but sites are fully accessible when these are blocked.

     

    Another important change is that the new software will not use standard domain names. Instead, it will use its own fake DNS system that will link the site’s name to a unique and verified public key. For example, within the application bt://mysite.p2p/ will load 929548249111abadfjab29347282374.p2p.

     

    “Site owners will be able to register their own names, which will serve as an alias for the curve25519 pub-key that will identify the site,” the Pirate Bay insider notes.“The “domain” registrations will be Bitcoin authenticated, on a first come first served basis. After a year the name will expire unless it’s re-verified.
    http://torrentfreak.com/how-the-pirate-bay-plans-to-beat-censorship-for-good-140105/

    first these alternative dns systems have been tried today but have never broken through because you have to install and update stuff and because it is totally different and even if there are a great number of people using Tor for example which you can see as an alternative internet with its own naming system, it will never have the same impact as the web. The problem with the idea is not that to circumvent censorship we should build our own networks, internets and dns systems, no we have to bring that content back into the mainstream

    but the second problem with the idea - and the same problem exists with TOR and Freenet and many other initiatives like that is that stuff like childporn and outright criminality and stupidity shouldn't be allowed and should be pushed out of these alternative 'havens of liberty'. There is no liberty if there is no dignity or humanity and childporn (to take the most disgusting example) is the contrary of both.

       this problem is even more evident in this new scheme because it is illegal to have childporn or links to childporn on your own computer and if that kind of content is allowed in these kinds of sites (or uploaded just to provoke and undermine the community) than every member of its network could be prosecuted even if he or she wasn't actively involved in or responsable for this content and there is nobody who will have any sympathy if you are arrested because you have childporn on your computer or because you are part of a network that distributes that disgusting stuff

    the third problem is that there will be problems if ICANN decides to attribute the domainextension p2p in the normal internet to an operator or to the police services who want to block this attempt because even if it theoretically shouldn't interfere it would make things more difficult

  • the DDOS armsrace increasing very fast in speed according to Arbor Networks

    so if you thought that you had some defenses against the most popular (oldstyle) attack nowadays DDOS by just turning on some feature on your firewall or router, you couldn't be more mistaken

    look at the numbers

    "KEY FINDINGS: DDoS attack size accelerating rapidly

     

    • 54% of attacks so far this year are over 1Gb/sec, up from 33% in 2012
    • 37% of attacks so far this year are in the 2-10Gb/sec range, up from 15% last year
    • 44% growth in proportion of attacks over 10Gb/sec, to 4% of all attacks
    • More than 350% growth in the number of attacks monitored at over 20Gb/sec so far this year, as compared to the whole of 2012
    • For 2013, an average DDoS attack now stands at 2.64Gb/sec, up 78% from 2012
    • 87% of all attacks monitored so far this year last less than one hour
    • Largest monitored and verified attack size increases significantly to 191Gb/sec 

    http://www.arbornetworks.com/news-and-events/press-releases/recent-press-releases/5026-arbor-networks-releases-q3-global-ddos-attack-trends-data

    this means that you will need backup plans with your ISP or other providers to be able to redirect - blackhole the attacks immediately and that those plans should include at least 1GB bandwith and be able to be upgraded very fast to over 20GB (which will ask quite a budget)

    the best way to do this for small isp's, hosters and websites or networks is to group together and have a contract together in which each pays a part of the permanent standby service and afterwhich for its effective use

    it is very important that those contracts can be activated immediately - so services without permanent staff all year long are not credible because most of the attacks take one hour (after which they ask money or make a big press splash with pictures of your downed sites)

    critical webservices like dns.be, payment and certification services and critical infrastructure should be obliged by 'law' to have for the moment adequate ddos protection

    I have no link to arbor networks - just like their intelligence

  • DNS hacking hits whatsapp, AVG and Avira

    http://www.techworm.in/2013/10/whatsapp-avira-and-avg-hacked-by-kdms.html

    a hacker got his hold on the handles for those domainnames and redirected them to pages with defacements so each time somebody wanted to go to the official websites they came at these pages instead

    being sure that all DNS servers over the whole world are cleaned of the redirect-change can take hours or days (depending on the refresh)

    imagine there was a zeroday download or in the a version of the software that has been tampered with (or infected somewhere or with a hidden account)

  • none of the belgian icann registered domainsellers signed the 2013 agreement

    http://www.internic.net/origin.html

    The information that appears for each registrar, including the referral web address and contact information, has been provided by each individual registrar.

    The 2013 RAA ICANN logo indicates that the registrar has signed the 2013 Registrar Accreditation Agreement ("RAA"), which is the most current contract governing the registrar relationship with ICANN. The 2013 RAA provides enhanced protections for registrants and an increased level of accountability for registrars, including but not limited to added registrar posting requirements, added compliance enforcement tools and increased accountability to third parties. Prospective registrants may want to take this fact into account when selecting a registrar for their gTLD name(s). The 2013 RAA ICANN logo is not an indication of how long the registrar has been ICANN accredited. You can view this contract at http://www.icann.org/en/resources/registrars/raa/approved-with-specs-27jun 13-en.htm.

    A registrar with a 2009 RAA ICANN logo is one that has yet to sign the 2013 RAA. Registrars who are covered by the 2009 RAA are obligated to follow many provisions that safeguard registrants, but they will not be able to offer as many generic top level domains in the future. You can view the 2009 contract at http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm.

    the only belgians accredited with ICANN have signed the 2009 agreement

    what is important is that the 2013 agreement imposes more security and other quality and procedural obligations

    maybe we should use the opportunity to only let ICANN 2013 covered domainsellers should be able to sell .brussels and .vlaanderen and so to be sure that we have chosen really important and quality resellers and not the boy from the house down in the street who is having his webbusiness from his living room and his laptop

  • the rush for more and more .be domains

    but more can be less and the less (service or security) can make it harder to have more

  • Ontwerp digitale economie belangrijker dan dns.be beter te controleren

    Iedere keer wint DNS.Be zoals andere grote spelers op de Belgische internetmarkt haar strijd door bepaalde parlementariërs - zonder dat die meer en andere informatie gaan zoeken of die gaan confronteren met andere informatie en dus zonder contradictorisch onderzoek - te overtuigen van hun gelijk en waarom er beter niets verandert.

    dit is tot nu toe

    wat men bij DNS.Be niet begrijpt - of niet wilt begrijpen - is dat zij een kritische publieke dienstverlening zijn voor de hele Belgische interneteconomie en dat zelfs indien het misschien niet het beste voorstel is om er een publieke dienst van te maken of om ze onder de uitdtrukkelijke controle te steken van een een publieke dienst waarbij elk detail van haar operationeel management gecontroleerd wordt, ze zich toch minder als een commercieel bedrijf zou moeten gedragen die enkel diensten levert aan haar aandeelhouders en zich meer moet openstellen voor haar echte 1.5 miljoen klanten en de 'community'

    ze kan dit op verschillende manieren doen

    * betere kwaliteits- en verificatieverplichytingen ten opzichte van haar domeinverkopers - want zelf verkoopt ze natuurlijk niets maar hierachter verstopt ze zich wel als er problemen zijn.  Dit is al te gemakkelijk en het is ook de biggest single failure gebleken bij een aantal andere doorverkopers van vb certificaten want dit is hetzelfde businessmodel

    * meer normale rechten voor eigenaren van echte domeinnamen die als domeinnamen worden gebruikt - niemand heeft het recht om mijn naam of die van hetzij welk ander natuurlijk persoon te kopen als die niet dezelfde naam heeft en dat kan bewijzen. Niemand heeft het recht om namen die beschermd zijn door patenten en trademarks en copyrights te integreren of te gebruiken in een domeinnaam zonder enige terugkoppeling naar de echte domeineigenaar (en de kosten hiervoor moeten bij de opkoper worden gelegd en NIET bij de eigenaar  van het domeinnaam). En dit is zeker het geval door domeinnamen van banken en financiële of commerciële diensten online die in grote mate worden gebruikt voor phishing of logindiefstal (in dit laatste geval zullen die max 100 of neem nog 1000 domeinnamen het verschil niet maken).

    * een sterkere aanwezigheid van vertegenwoordigers van de domeinnaamhouders en online commerciële diensten in de organen van dns.be en haar overlegstructuren (en domeinnaamhouders zijn niet dezelfde als zij die ze verkopen als kopen ze er zelf veel op om mee te speculeren). Ik denk vb aan het VBO en dergelijke.

    * een sterkere aanwezigheid van vertegenwoordigers van de kritische community om te zorgen dat er plaats is voor contradictorisch debat en dat men voor het nemen van bepaalde beslissingen wel degelijk heeft rekening gehouden met alle mogelijke gevolgen die dit voor de verschillende soorten gebruikers van de domeinextensie kan hebben.

    * een SLA met de overheid die vernieuwbaar is en die om de zoveel jaar vastlegt wat de rechten en verplichtingen zijn voor deze licentie (om virtueel geld te printen) die in feite een monopolie is

    Dit wilt niet zeggen dat DNS.Be slecht werkt, dit betekent niet dat de mensen slecht werken, het betekent alleen dat ze haar beslissingsprocessen en haar transparantie moet democratiseren wil ze niet binnen hier en een paar jaar onder de voet worden gelopen door de 1000 andere domeinextensies die zullen in voege treden. Indien ze een legitiem onderdeel wilt zijn van de kritische dienstverlening op het Belgische internet dan moet ze zorgen dat het Belgische internet IN AL HAAR FACETTEN deel uitmaakt van haar structuur.

    Een ander gevolg van het uitsluiten van DNS.Be uit deze wijzigingen is dat ze ook werd gezien om diensten zoals de CERT.BE te kunnen voorzien van een stabiele grote financiering door vb het verhogen van de prijs van een domeinnaam met vb 1 euro (dit zou 1.5 miljoen Euro in het laatje brengen) en ja over dat geld moet goed worden nagedacht (stop met het te verspillen aan halfslachtige awarenesswebsites maar zet het prioritair in op het opsporen en oplossen van problemen en incidenten)

    Het is immers zo - en dat is de businesscase voor deze 'tax' of 'securitybijdrage' - dat door organisaties als de CERT het aantal incidenten dat een invloed kan hebben op de reputatie van het Belgische internet of de .be extensie uitstekend kan blijven en dus dat de waarde van de .be domeinen en de global reach van de dienstenleveranciers die .be gebruiken gehandhaafd kan blijven

    de mensen bij .be weten maar al te zeer hoe snel het kan gaan vooraleer een zogenaamd opgelost incident zich opeens opnieuw kan stellen omdat men van foute veiligheidsonderstellingen uitging (ja botneteigenaars kopen hun domeinnaam zelfs na 3 jaar weer op omdat ze denken dat ze er nog altijd PC's mee zullen kunnen recupereren)

    if you pay peanuts, you get monkeys - wel in de ZOO die het internet is zullen de apen met uw klanten en infrastructuur spelen alsof het speelgoed is vanaf het moment dat u even de aandacht laat gaan of omdat u niet over de noodzakelijke steeds zwaardere investeringen beschikt om te kunnen bijhouden - zeker nu dns installaties en certificaatverspreiders gericht en professioneel permanent worden aangevallen

    je kan het als een overwinning beschouwen, maar de vragen en issues die hierboven staan blijven overeind en zullen dus op een bepaald moment toch terugkomen. Misschien niet nu omdat u sterk bent - maar vanaf dat u ergens even de aandacht hebt laten verzwakken of toont dat u totaal niet bereid bent om naast uw commerciële rol ook een verantwoordelijke maatschappelijke rol te spelen

  • nieuw wetsontwerp Digitale economie is duidelijk over domeinkaping en waarom DNS.Be preventiever moet werken

    Duidelijker dan dat kan niet (nu nog preventief werken zodat men niet verplicht wordt om permanent procedures te moeten starten om dergelijke aanvallen op je online reputatie (het belangrijkste online goed) te stoppen

    Hoofdstuk 8. Het registreren van domeinnamenArt. XII.22. Het is verboden om zonder enig recht of legitiem
    belang jegens die domeinnaam, en met het doel eenderde te schaden of er een ongerechtvaardigd voordeel uit
    te halen, laten registreren door een officieel erkende instantiegemachtigd voor registratie, al dan niet via een tussenpersoon van een domeinnaam, die ofwel identiek is aan, of die zodanig overeenstemt dat hij verwarring kan scheppen met, onder meer, een merk, een geografi sche aanduiding of een benaming van oorsprong, een handelsnaam, een origineel werk, een naam van een vennootschap of van een vereniging, een geslachtsnaam
    of de naam van een geografi sche entiteit, die aan iemand anders toebehoort.


    Art. XII.23. Artikel XII.22 wordt toegepast onverminderd andere wettelijke bepalingen, meer bepaald elke wettelijke bepaling tot bescherming van merken, geografi sche aanduidingen en benamingen van oorsprong, handelsnamen, originele werken en alle andere voorwerpen van intellectuele eigendom, namen van vennootschappen en verenigingen, geslachtsnamen, namen van geografi sche entiteiten, alsook elke wettelijke bepaling inzake oneerlijke mededinging, marktpraktijken en voorlichting en bescherming van de consument. De geschillen voortvloeiend uit het recht op vrije meningsuiting

    Opmerking : dit is - je hoort het van een oudstrijder - enkel mogelijk indien men op basis van een serie kernwoorden en trademarked namen bij dns.be niet toelaat dat dergelijke namen worden geregistreerd door andere personen dan de diensten die deze bedrijven en instellingen daarvoor hebben aangewezen (en dit zonder te moeten betalen voor een monitoringservice :)

    In feite mag DNS.Be hierna blij zijn als ze niet zal worden vervolgd wegens schuldig verzuim, het niet handelen als een goed huisvader of zelfs impliciete medeplichtigheid bij vb het verkopen van vb mastercardservices.be dat dan zou worden gebruikt binnen de 4u om mensen op te lichten

  • DNS websites are very critical to your security and availability (2 examples)

    * ddosattacks interrupted the availability of millions of .cn website, some suffered 32% less visitors 

    http://www.theage.com.au/it-pro/security-it/chinas-internet-registry-suffers-largest-ever-attack-20130827-hv1iy.html

    * Google.ps (palestine) was redirected by hackers in the DNS server to an anti-israeli website

    http://www.bloomberg.com/news/2013-08-27/hackers-redirect-google-palestine-users-to-anti-israel-website.html

    the same was the case with Twitter overnight

  • how your internal intranetname can arrive on the internet

    As discussed in an advisory (PDF) issued by the Internet Corporation for Assigned Names and Numbers' (ICANN) Security and Stability Advisory Committee (SSAC) on Friday, a common practice by certificate authorities (CAs) is to issue digital certificates, even when the organisation requesting them provides a non-fully qualified domain name.

     

    These "internal name" certificates are meant to be used for domains on private networks, such as server1.company.corp, that were never intended to be public facing. While this affords companies a convenient way to securely reference servers within their network, the internal name of their domains can potentially collide with gTLDs that either already exist or are being applied for.

     

    This theoretically affords an attacker the ability to apply for a site certificate for a gTLD before it is approved, then once the target gTLD passes approval, the attacker has a signed certificate that can be used to conduct man-in-the-middle attacks.

     

    "If an attacker obtains a certificate before the new TLD is delegated, he/she could surreptitiously redirect a user from the original site to the attacker site, present his certificate, and the victim would get the Transport Layer Security/SSL (TLS/SSL) lock icon," the advisory read.

     

    Testing the theory, a SSAC researcher applied for an internal name certificate for www.site, and although the CA asked the requester to confirm it was for internal use only, approved its issuance. Armed with a certificate, the researcher then set up www.site, and found that several modern browsers recognised the certificate as though it had been issued for the gTLD and not an internal server.

     

    The problem is not confined to new domains, and is potentially already a problem. As part of its research, SSAC noted that as well as listing valid entries for its business, Australian clothing retailer Quiksilver's certificate lists internal names ending in .corp — a gTLD that has recently been applied for.
    http://www.zdnet.com/slow-clap-internal-certificates-can-hijack-gtlds-7000012712/

    this means that you will have to look here if the domainnaam you use is for your intranet is on the list of all the new domains (and for ssl providers some will have to update the list of acceptable domainnames for internal networks) and plan the change (because in bigger networks this may become a problem)

    If some firms have taken the samen domainextensions for their internal networks as they have asked for public use with Icann, they will have to think so that it is would not be possible to huppeldepup from a website to an internal domain

    https://gtldresult.icann.org/application-result/applicationstatus

  • new term : bitsquatting (getting visitors with hardware problems)

    Bitsquatting refers to the registration of a domain names one bit different than a popular domain. The name comes from typosquatting: the act of registering domain names one key press different than a popular domain. Bitsquatting frequently resolved domain names makes it possible to exploit computer hardware errors via DNS
    http://dinaburg.org/bitsquatting.html

    so when the hardware has these hardware memory problems with some bytes, than the site doesn't arrive at for example cnn.com but ccn.com and if that site is infected or whatever than the user can be attacked, spoofed or whatever

    on a few billion machines connected to the internet you may be sure that for all the highlevel domainnames it stays a good business to take all the nearby domainnames, even when people type the right domainnames

    this changes also the whole discussion about the registration of such domainnames because if these domainnames would be so easily abused without any knowledge or interference from the user, than those users need to be protected or alerted (especially if these domainnames are known to be attack, spoof or advertising-spam sites). The user should still have the possibility to correct this (even if he won't understand why he arrived there and even if it is not that easy to correct this corrupted memorycache problem)

  • the full list of new domainextensions that are proposed for 2012

    http://www.newgtldsite.com/new-gtld-list/

    the list is that extensive because nobody knows when the next round will come - so if you didn't ask it, it may be 5 years before the next round will come around - so ready or not - you just ask

    also there is the first come first get rule, if you didn't ask it, maybe somebody else will claim it or will have better rights to get it the next time around because he already asked for it

    secondly many of those may be used for purely internal DNS reasons (international companies, governmental networks) to make it easier in these times of clouds and extended networks and mobile workers to organise all your installations, networks and sites into one network

    but there are many new extensions that I like because you could use them for international companies - even as an internal DNS or network

    For belgium one should look out for

    BRUSSELS - Ghent - Vlaanderen

    .wal(lonia) will be the only Belgian region without its own domainextension (internal or internet) but they find it too expensive and say that there brand is wallonia.be

    how many people will type in those long other Belgian domainnames is another matter except if you make an urlshorterner service  otherwise imagina     vb gezondheidszorg.vlaanderen

    ik stel voor dat we de volgende domeinnamen al blokkeren 

    fransin.vlaanderen   nietwelkomin.vlaanderen   mijdt.brussels   vuil.brussels   (en dat zijn er nog deftige .....)

    anders is je domeinextensie in drie minuten een boemerang

  • how many domainextensions does Belgium need ?

    a domainextension is what you see behind the name, it is the .com or .be or .net that you see. Untill now these domainextensions have been organised around the country that every country had its own (few exceptions) and that aside where a few generic domainextensions. The number of Generic domainsextensions only kept growing and now ICANN has decided that every city or brand or region or whatever can organize its own domainextensions if it is willing to pay the (huge) price. Now a lot of multinationals are counting how much they spend on all these websites on all these extensions and if a seperate domainextension (coca) wouldn't be cheaper and more effective. It is more easy to say to that only the  .coca or .fortis domainnames are legal and that all the rests are frauds than to try to buy all the domainnames and their variations in all the different domainextensions.

    That is the good part and that is why I support it - even if I think that the price for your own domainextension is much too high.

    the problem now is what all these different domainextension will do. If they are going to have a very lax dns infrastructure and registration policy than we won't have to do with a real business of business hacking and redirecting but also with tenfold of frauduluous domainnames. The result may even be that some or most of these new domainextensions will be blocked entirely by the webfilters.

    Belgium will problably have two new domainextensions

    .gent (the unknown diamond of Belgium according to some)  this is in my opinion stupid because you limit yourself to the flemish name of the city .ghent would be better

    .vlaanderen (who will remember that outside vlaanderen)

    the biggest problem will be the operational level. If we don't want any cowboys or amateurs managing domainextensions we should oblige them to be certified and work with certified people and to have someone with a certified dns securitycertificate . We should also make yearly reports about the way in which they did their work and the number of incidents and frauds that were found in their domeinzone and how they did respond. We should takeover and transfer the management of domainextensions that are so badly operated that they are a danger for the whole internet or DNs infrastructure.

    I think that in Belgium dns.be should evolve from the operator for .be to a general operator for all the domainextensions in Beligum. They have proven the last year that they have understood that security is the one of the most important factors of trust and that you need trust to be able to sell enough domainnames to make some money that you can reinvest in your infrastructure.

    If for some political or private reasons the new domainextensions want to restart from zero, they shouldn't be surprised that the security community will have no mercy if they make mistakes and are being found amateurs.

    For .ghent it a new firm set up by some ex employees of dns.be that say they will handle and finance it. It seems to be their first experience 'on their own'. a chance or a risk it is from which perspective you look at it.

    for other domainextensions, you should have your plan and  your demand ready by more and contact the ICANN who probably will decide by october which new domainextenions will be accepted

    there is a possibility that if you aren't ready now or want to look first how it goes that there won't be a second round because there were too many incidents, because there is no will to do it all over again, because there are already enough of them now, because everything has to be reviewed before and that can take years and so on. so even if you don't make it fully operational or only want to use for internal communication in the first place, you should consider jumping on the first train. You can find it difficult to explain to your CEO or political boss that you didn't want to have - even a formal demand - because you wanted to be prudent - while it maybe the case that there will not be another chance after - or that it can take up to 2 to 3 years before you can introduce a new demand. And 200.000 dollar in a communication budget of an international firm or big government is peanuts.

    which other domainextensions should belgium have

    .flanders  (instead of vlaanderen)  or .vl

    .ghent (instead of gent)

    .bruges (instead of brugge)

    .bru (for brussels, bruxelles and brussel)

    .wal (for wallonia)

    and meanwhile Google will have a field day because without Google we won't be able to locate any content

  • DNS .be starts controlling new domainnames before activating them

    There is a new leadership around at DNS.Be and maybe our battering on security had some effects but the new head of DNS.Be says that every day they go manually over all the new registered .be domainnames and throw out these that are malicious or need more investigation.

    According to the chief of DNS.Be they have already thrown out a whole bunch of domainnames.

    It doesn't have to be a manual operation although, but that there is at least some controls and checks is already a good step in the right directio. The advantage is that after a while you will be so accostumed to the flow of registrations that you will develop a knowledge and a gutfeeling that will become your maintool for doing this job is an ever diminishing timeframe. 

    the second step should be to set up a warning and information exchange system between dns.be and other domainextension operators so that registrations that were flagged or blocked or stopped in one domainzone are also blocked in another if it has the same characteristics.

    and after a while you will have a secret database with the historic information about the registrations of all these malicious domainnames (thousands every day).

    Even if it doesn't stop the cybercriminals we shouldn't make it too easy either

    and the next step would be that domainnames or registrars that have been flagged can't use anonymization services for the dns or whois anymore.

    The report that has shown that .be was the fifth biggest victim of fastflux domainname registrations had some effect.

  • protecting Belgian politicians in cyberspace from domainsquatting

    So we are talking about domainsquatting which is registering a domainname for a person or brand that is not yours and for which you have no objective reason to claim it

    It is not cyberspeech - for example boycotxxx.be or neenaanxxxx.be - or domaintyposquatting in which only a letter changes - for example www.diirupo.be or di-rupo.be

    According to Belgian law it is illegal to do but as long as DNS.Be continues to sell domainnames as if they are soap and doesn't control anything - even if the list of politicians is free to download from the net and can be integrated in a database - situations like the following will continue to happen.

    An elected representative was quite astonished when a french newspaper published an article about her outrageous personal website that proves that her party (NVA, quite seperatist) is in fact extremist and not a moderate party. The website in question was a full with negatitionist articles, pedoconspiracies and that kind of stuff

    It seems that our Belgian international neonazi and publisher of negationist material who was condemned already several times had registered her personal domainname ingefaes.be (now inactive)

    DNS.Be has in the meantime not taken any steps to block the ownership so the domain can't be transferred to anybody else untill a decision has been made about the legality and even more the opportunity of this action

    Naam ingefaes
    Status REGISTERED
    Registratie 25 juli 2010
    Laatste wijziging 26 juli 2010 0:06
    Licentienemer
    Taal Engels
    E-mail verbekeherbert@yahoo.com
    Onsite contactpersonen
    Naam Herbert Verbeke
    Taal Engels
    Adres
    E-mail
    Registrar
    Organisatie Key-Systems GmbH
    Website www.key-systems.net
    Nameservers
     
    ns45.domaincontrol.com    
    ns46.domaincontrol.com  

    but it is really strange that on verkiezingssite.be in 2009 she gave that site as her personal site

    probably she forgot to renew it or didn't know what to do with it but she can't blame the media who doesn't know her that it was her site. They could have contacted her, yeah.

    but after all, was it worth all that trouble, those 30 Euro's a year for your .be domainname.

    because as you see, dns.be will seel domainnames like soap, so long the politicians finally don't stop this.