mikedee - 7:46 pm on May 5, 2008 (gmt 0)

Are you proposing a whitelist of DNS servers or a blacklist?

A whitelist would cause an extreme amount of pain to a lot of webmasters, especially if each ISP had a different whitelist. Anyone who has delt with services like SpamCop will know how hard it is to be added to a whitelist or removed from a black one. After a certain point these list keepers do not care about the little guy and people will be forced to pay a lot for the whitelisted DNS services.

A blacklist would be ineffective because the bots can act as DNS servers and we would have the same fast-flux problem that we have now except it will be one level up. Thousands of domains can be pre-registered and swapped-in the same way as subdomains are now.

This is a genuinely hard problem, much like the spam problem. Personally I think that the solution is in hardening the operating systems and browsers, Vista comes a long way in this respect so we will wait for XP to die out before doing anything that will impact the openness of the internet. Look at the state of SSL certificates now, that is what we have to look forward to if ISP's implement a whitelist for DNS servers.

There is some interesting information on locking down applications on the Google Developers Podcast (the one about Andriod). It is Linux specific and for a mobile but the same principle could be used to make a secure desktop without losing functionality.