<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";
mso-ligatures:none;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoPlainText>The use case I'm defending against have been recent reports of standard <b>looking</b> domains with Greek or Cyrillic characters that appear like very similar to their Western alphabet counterparts: CitiBank.com vs. CitiB(Greek alpha)nk.com, (I don’t think this comes through the mailing list) CitiBank.com vs. CitiBαnk.com.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>I click on the link and maybe behind the page, the browser translates it to something else, but all I see is what looks like my Bank’s URL until it’s too late.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText style='margin-left:.5in'><a href="https://www.whois.com/whois/citibank.com">https://www.whois.com/whois/citibank.com</a><o:p></o:p></p><p class=MsoPlainText style='margin-left:.5in'><a href="https://www.whois.com/whois/citib%CE%B1nk.com">https://www.whois.com/whois/citib%CE%B1nk.com</a><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>BTW, that last domain is available!<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>If once a year that means I can’t download the driver for my LILYGO T-SIM7000G without special effort… s’be’it. That would be a purposeful measured action. I know it’s narrow minded and everything, for my personal/household daily surfing, I’m just not interested in IDN (<a href="https://newgtlds.icann.org/en/about/idns">https://newgtlds.icann.org/en/about/idns</a>). <o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Given that the risks are real, I’m back in the white-bread ‘murica only Internet where a URI/URL was<o:p></o:p></p><pre> “<span style='color:black'>A URI is composed from a limited set of characters consisting of<o:p></o:p></span></pre><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none'> digits, letters, and a few graphic symbols. A reserved subset of<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none'> those characters may be used to delimit syntax components within a<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none'> URI while the remaining characters, including both the unreserved set<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none'> and those reserved characters not acting as delimiters, define each<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none'> component's identifying data.” </span>(RFC3986, RFC3305 or even earlier)<span style='font-size:10.0pt;font-family:"Courier New";color:black;mso-ligatures:none'><o:p></o:p></span></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Specific answers to your ?s: “Burton, the feature you are asking for would be blocking IDNA domains?” YES<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>As for your scale question, my firewall is a disgustingly beefy 65W i5-8400 (Coffee Lake) with 6 cores and 24Gb of RAM. Load average is 0.00. Free memory is 22.9GiB. I upgraded packages this morning and dnsmasq has used 7 seconds of CPU in 5 hours.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>(What can I say? It was the cheap box that week at MicroCenter when I went shopping – in my hands NOW instead of waiting two weeks for box half as capable to save $100??) (Could I run it as a VM on my ESXi box? Sure – I used to do that before I decided to use a real NIC for the firewall instead of a USB “gigabit” ethernet adapter) (But where is the fun in THAT?)<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>-----Burton<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>-----Original Message-----<br>From: Dominik Derigs <dl6er@dl6er.de> <br>Sent: Thursday, May 11, 2023 11:40 AM<br>To: Petr Menšík <pemensik@redhat.com>; dnsmasq-discuss@lists.thekelleys.org.uk; B@us <burton@burtonstrauss.us><br>Subject: Re: [Dnsmasq-discuss] Filtering non-latin1 or non-ASCIII dns requests?</p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Hey Burton and Petr,<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>On Wed, 2023-05-10 at 21:12 -0500, B@us wrote:<o:p></o:p></p><p class=MsoPlainText>> domains that don’t match \.[A-Za-z0-9]\.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>You'd probably want to allow for - and _ too but Petr has the better idea how to achieve this:<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>On Thu, 2023-05-11 at 17:56 +0200, Petr Menšík wrote:<o:p></o:p></p><p class=MsoPlainText>> reject all IDN names, which start with xn-- prefix<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Even when truly non-ASCII domains would be possible (dig äöü), none of the larger registrars allow registering such domains directly and will always Punycode translation of the Unicode representation of the language-specific alphabet.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Burton, the feature you are asking for would be blocking IDNA domains?<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Petr, I concur that this should be handled at a larger scale, however, I do also think it'd be okay to have such a feature when the administrator of a local dnsmasq says that international domains aren't something that will happen at their place and wants some extra protection against such letter confusion "attacks".<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Best<o:p></o:p></p><p class=MsoPlainText>Dominik<o:p></o:p></p></div></body></html>