Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: U.S. gov't blacklisted all DNS entries pointing to Linode machines
68 points by kljensen on March 5, 2010 | hide | past | favorite | 25 comments
This means DNS queries will not resolve for government employees if they point to Linode hosted machines.

I've verified this with USMC, USDA, & Sandia national lab. Heard that the top level domain linode.com was black holed due to its association with malicious activity as per a US-CERT Situational Awareness Report 10-015-01A UPDATE.

This is a big pain in butt for those of us that are grant funded or work with U.S. Government.




The less the government sees of the internet, the less they interfere with it. I hope they blacklist the entire thing.


Yep, one more reason to use Linode.


> This means DNS queries will not resolve for government employees if they point to Linode hosted machines.

This is total FUD. Please check your statements for accuracy.


I agree. I work in a govt agency and while linode.com is blocked, I can still access my site that is hosted at linode as well as the linked site below in comments. Searching us-cert for linode, turns up the following: http://www.us-cert.gov/cas/techalerts/TA10-055A.html


I work for a gov agency and both linode and hosted sites work for me.


Not FUD. Verified for multiple cases in which a CNAME points to a linode XXX.members.linode.com address.

I'm guessing the variance is due to different agencies implementing different security stuff. Again, 3x verified & no intent of FUD --- I love linode.


This reminds me of when I worked tech support for a big US ISP. I would get calls from users who couldn't connect to certain .mil sites because they had an IP ending in zero (x.x.x.0). The only solution was to reset their modem and hope the DHCP server would give them a new IP that didn't end in zero.


Heard that the top level domain linode.com was black holed due to its association with malicious activity [...]

Reading this sentence, reminded me of Google using Linode when that incident happened with Chinese hackers.


http://blog.linode.com/2010/01/15/linode-and-the-google-cybe... "No Linodes were involved in malicious activity related to this event. In fact, it was Google itself that chose to use Linode to aid in their investigation of the attacks"


http://www.us-cert.gov/cas/techalerts/TA10-055A.html suggests otherwise.


So, McAfee identifies a single node as "associated" with the incident: li107-40[dot]members[dot]linode[dot]com. And Linode has a post which specifically references a single node being associated but under Google's control and not malicious control at all times.

Doesn't appear to me that there's any contradiction. There is no evidence that a Linode was used for anything malicious. There is evidence that a Linode was used.


From the cert page:

"the following malicious domains were identified"


I think the real issue here is just letting anyone use your servers for whatever they want. It's a big problem in the cloud because even there, you're guilty by association.

The cloud providers are going to have to be more scrupulous about who they allow to use their infrastructure if they don't want to tarnish the image of their upstanding customers.


I wouldn't use any provider that took an active interest in monitoring my traffic or examining my VPS.


It's not about that, it's about figuring out who you are before you sign up.


How? By adding a "Are you a terrorist?" checkbox in signup form? Doing full CIA scan for all new users? Maybe they should require web serving license issued by govt, like they do for guns?


There are ways that are less intrusive, but still somewhat effective. Security is mostly about probabilities. The more circles you remove from the venn diagram, the lower the probability of problems.

So if you remove everyone from China, sure, you remove a lot of fine customers, but you also remove a huge swath of the internet crime rings. Require a US based address. Email the people and have a conversation. Require a phone call.

It's the same as renting out an apartment, If you start renting your apartments to criminals, pretty soon, all you'll have is criminals.


Set up a reverse proxy somewhere for your government friends to use.


Ugh, Linode is our reverse proxy.


Try Chunkhost, free beta.


Can anyone check to see if http://matt.might.net/ is blocked?

I host it on a linode.

Thanks!


My brother in the Army can still see it, so it's apparently not all government.

By the way, he can't get to Hacker News.


I work under DOI and works for me.


Do you have a direct link to this CERT awareness report? Google foo is failing me at present.


WTF. I host in Linode.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: