Probably on balance a good thing
...but not without some expected collateral damage.
Telstra is preparing to get proactive with malware, announcing that it will be implementing a DNS-based blocker to prevent customer systems from contact known command-and-control servers. The “malware suppression” tool will will be introduced at no cost for fixed, mobile and NBN customers using domestic broadband and Telstra …
using the Telstra DNS servers ages ago, after I installed Comodo Dragon, Comodo's variant of Chrome. It gives you the option to use their SecureDNS service in order to help filter out dodgy websites.
Very soon I shall be ditching their service altogether and going with someone more reliable.
I just want to point out that a DNS blocklist as described (and though I do work for Telstra, I have no direct visibility of what's happening here) won't block sites that share an IP address with a C&C site.
As described the "filter" looks for the DNS query to badguy.domain.com and either blocks or ignores those queries. So when you look up "goodguy.mysite.com" it won't match the bad site DNS name, and your query (and connection attempt) proceeds.
I'm not a fan of filtering/blocking etc; be it whitelisting, blacklisting, or using a black box list of "stuff someone claimed was bad". But let's argue about the right stuff :)
This might be effective for about 30 seconds. Media releases like this just let the malware writers know what happened when a big chunk of their botnet goes quiet.
In this case they will just modify their code to query a different DNS server and bam, back on line.
bam, back on line
Temporarily. The bad guy's new DNS will start receiving a lot of suspicious traffic, at which point Telstra sends the new DNS details to ??? in California, who reply that yes the new DNS is bad, and Telstra blocks the new one.
The important question is: how quickly will each new bad DNS be identified and blocked?
Telstra already redirects DNS queries for non-existent domains to some advertising page in violation of DNS specs. You can opt out of this behaviour by manually configuring a different Telstra DNS server. Sadly this service has a high rate of false negatives which is probably also in violation of specs. It will occasionally tell me that sites like google.com or even theregister.co.uk don't exist ... until I push reload. I'm sure their new blocking rules will only make their DNS service even more reliable.