Re: DNS Scanning for blocking

[Abe Getchell <agetchel () KDE STATE KY US>]

Hi Zeffie,
        I will give you advice, but in return ask for one pass to the
establishment in question.  Leave it at the front door and tell 'em my name!
=D  Seriously though...
        What they're doing isn't illegal, at least in Kentucky.  There was a
law was passed back in 1998 (SB230) which required us (being the Department
of Education) to provide filtering services for all of our 1400 schools
across the entire state.  These filtering services must keep K-12 students
(or at least make it reasonably difficult for them) from accessing
pornography on the Internet.  A lot of the filtering is being done by
programs like the one you mention.  So instead of being illegal, it is
actually explicitly _legal_ for them to do this here.  Keep in mind that
you're dealing with two different issues here: them scanning your network,
and them adding your domain to a list that they block access too using their
product; I speak above too the latter of these issues.  As to the issue of
the scan, it is actually explicitly _illegal_ here in Kentucky as there are
local laws which state that a 'probe' against a computer network is a
jailable offence.  Check your local laws and proceed with caution; I'd
imagine these guys pay a lot of money every year for legal assistance.

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel () kde state ky us
Web     http://www.kde.state.ky.us/



> -----Original Message-----
> From: Zeffie [mailto:zeffiechat () HOTMAIL COM]
> Sent: Thursday, December 21, 2000 4:41 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: DNS Scanning for blocking
>
>
>     I Host a site for the local strip club and lately I
> started getting
> messages like this for several domains.
>
> Dec 20 01:13:22 www named[2105]: unapproved AXFR from
> [157.167.1.21].4238
> for "theirdomain.NET" (acl)
> Dec 20 01:13:23 www named[2105]: unapproved AXFR from
> [157.167.1.21].4239
> for "theirdomain.NET" (acl)
>
> I checked into it and found that surfcontrol is responsable
> for this.  They
> are doing it to confirm their "Block Lists" are correct.  So
> they can block
> the domains from being accessed by employees/customers of
> bussiness that
> they sell their product to.
>
> So am I crazy or did they scan my network with the intent of blocking
> traffic and thereby causing me direct finanical losses?  Is
> what they are
> doing legale?  Have they broken the law in several states?
>
> Zeffie
> (Michigan)