Nxdomain redirect revenue

Just an fyi for anyone who has a marketing person dreaming up a big nxdomain
redirect business cases, the stats are actually very very poor... it does
not make much money at all.

It is very important to ask the redirect partners about yields... meaning,
you may find that less than 5% of nxdomain redirects can be actually served
an ad page because 95%+ of nxd are printer lookups and such that cannot be
served an ad page. Then from that less than 5% pool, the click through
rates are around 1%

Net net, no free money of any meaningful value. But, ymmv... but I don't
think by much.

Cb

Just an fyi for anyone who has a marketing person dreaming up a big nxdomain
redirect business cases, the stats are actually very very poor... it does
not make much money at all.

It is very important to ask the redirect partners about yields... meaning,
you may find that less than 5% of nxdomain redirects can be actually served
an ad page because 95%+ of nxd are printer lookups and such that cannot be
served an ad page. Then from that less than 5% pool, the click through
rates are around 1%

Net net, no free money of any meaningful value. But, ymmv... but I don't
think by much.

that's some interesting data points, thanks!

Not to take any position on there being a "business case" for
NXDOMAIN redirect,
or not but.... the percentage of NXdomain redirects that actually
serve ads isn't too important.
It's absolute numbers that matter, even if it's just 1% of
NXDOMAINS by percent.

The rest of the 99% are referred to as "noise" and aren't relevant
for justifying or failing
to justify.

The important number is at what frequency the _average_ user will
encounter the redirect
while they are surfing. If a sufficient proportion of their users
see the ads at a sufficient rate,
then they will probably justify whatever cost they have for the ad serving.

When they are doing this crappy stuff like redirecting google.com DNS
to intercept
search requests; I have little doubt that they are able to inject
sufficient volume of ads to
make some sort of "business case" behind the hijacking evilness.

Regards,

> Just an fyi for anyone who has a marketing person dreaming up a big

nxdomain

> redirect business cases, the stats are actually very very poor... it

does

> not make much money at all.
> It is very important to ask the redirect partners about yields...

meaning,

> you may find that less than 5% of nxdomain redirects can be actually

served

Not to take any position on there being a "business case" for
NXDOMAIN redirect,
or not but.... the percentage of NXdomain redirects that actually
serve ads isn't too important.
It's absolute numbers that matter, even if it's just 1% of
NXDOMAINS by percent.

The rest of the 99% are referred to as "noise" and aren't relevant
for justifying or failing
to justify.

The important number is at what frequency the _average_ user will
encounter the redirect
while they are surfing. If a sufficient proportion of their users
see the ads at a sufficient rate,
then they will probably justify whatever cost they have for the ad

serving.

When they are doing this crappy stuff like redirecting google.com DNS
to intercept
search requests; I have little doubt that they are able to inject
sufficient volume of ads to
make some sort of "business case" behind the hijacking evilness.

Regards,

--
-JH

I think a special mention should go to hardware vendors who adopt this
dreadful practice in network equipment. I recently encountered an
enterprise-grade WLAN router from vendor D that has the horrible habit
of intercepting some % of queries to its local DNS cache resolver and
forwarding to an affiliate Yahoo! search page, lousy with ads, under
vendor D's control.

This includes things like www.google.co.uk. I don't manage this device
and therefore have opened a ticket with those who do to get them to turn
the damn thing off, while in the meantime adding *.[vendor D]search.com
127.0.0.1 to my /etc/hosts.

I must admit to being tempted to "fault" it with something heavy in
order to force its replacement:-)

But if anyone from vendor-D is on the list: congratulations, you've
managed to invent a network device that is by definition untrustworthy,
and I will never buy anything from your company.

It is not libellous to associate a vendor's real name with calmly stated
matters of objective fact concerning their products.

I'd be interested to know the particular model that you're referring to
here - like you, to put it on a list of kit that I will never buy.

Re: "enterprise-grade" - did you mean this as a compliment or an insult?

Nick

I would guess he is referring to this "Advanced DNS Security" misfeature :

http://www.dslreports.com/forum/r25921912-DLINK-Router-Advanced-DNS-Setup-Causing-Issues-

> I think a special mention should go to hardware vendors who adopt

this

> dreadful practice in network equipment. I recently encountered an
> enterprise-grade WLAN router from vendor D that has the horrible

habit

It is not libellous to associate a vendor's real name with calmly

stated

matters of objective fact concerning their products.

I'd be interested to know the particular model that you're referring

to

here - like you, to put it on a list of kit that I will never buy.

Re: "enterprise-grade" - did you mean this as a compliment or an

insult?

Nick

It's D-Link, if you hadn't guessed, and it's the DIR series.

Regarding "enterprise", these devices are not service provider kit but
they're not under-the-TV-set either, and our use-case is basically
typical of a branch-office set up. In which the DIR works really well,
if it didn't do demented things with DNS.

* Cameron Byrne:

It is very important to ask the redirect partners about yields... meaning,
you may find that less than 5% of nxdomain redirects can be actually served
an ad page because 95%+ of nxd are printer lookups and such that cannot be
served an ad page. Then from that less than 5% pool, the click through
rates are around 1%

Is this with strict NXDOMAIN rewriting, or were existing names
redirected as well? (AFAIK, most platforms do the latter, hijacking
bfk.de, for example.)

* Cameron Byrne:

> It is very important to ask the redirect partners about yields...

meaning,

> you may find that less than 5% of nxdomain redirects can be actually

served

> an ad page because 95%+ of nxd are printer lookups and such that cannot

be

> served an ad page. Then from that less than 5% pool, the click through
> rates are around 1%

Is this with strict NXDOMAIN rewriting, or were existing names
redirected as well? (AFAIK, most platforms do the latter, hijacking
bfk.de, for example.)

I have no experience with hijacking real names, which others have noted is
evil.

Cb

I'm curious, is there some belief that the use of hte nxdomain
hijacking/rewriting is actually of use to 'users' ? (I'd seen folk
claim that the revenue was super-nice, and also it's super beneficial
to users...)

I don't happen to believe either of these reasons, cameron's note
about checking for the right set of numbers before signing contracts
seems to indicate that the revenue wasn't there either...

-chris

"of use to users" is, in general, incompatible with "race to the bottom".

my point is that on the one hand the marketeers say: "This is a great
help to your users who are confused by the missing dns entries! They
like it! It is a benefit and a comfort to them!"

and on the other hand: "You will make lots of mullah from the nxdomain
rewriting! it's wonderful!"
  (plus some mumbling about, why would you want to give that money
away to the content providers of the world for free?)

-chris
(I don't believe that it's a great help, nor that customers actually
WANT it, nor that it makes great gobs of money... but I'm willing to
be educated)

I'm curious, is there some belief that the use of hte nxdomain
hijacking/rewriting is actually of use to 'users' ?

"of use to users" is, in general, incompatible with "race to the bottom".

my point is that on the one hand the marketeers say: "This is a great
help to your users who are confused by the missing dns entries! They
like it! It is a benefit and a comfort to them!"

and on the other hand: "You will make lots of mullah from the nxdomain
rewriting! it's wonderful!"

s/mullah/moolah/ context switch fail.

Has anybody tried bringing a criminal complaint for interference with
computer (network) data?

Certainly, hijacking google.com NS records to JOMAX.NET would be a
criminal interference. After all, that's all DNSsec signed now,
isn't it?

Arguably, substituting a false reply for NXDOMAIN would be, too.

It's time to find a champion to lead the charge. Maybe Google?

[snip]

Certainly, hijacking google.com NS records to JOMAX.NET would be a
criminal interference. After all, that's all DNSsec signed now,
isn't it?

I would rather see DNSSEC and TLS/HTTPS get implemented end to end.
The last thing we need is a court to step in and say "It's not legal
for an ISP to
blacklist, block, or redirect traffic, to any hostname or IP address."

Most likely the ISPs' lawyers were smart enough to include a clause
in the ToS/AUP allowing
the ISP to intercept, blackhole, or redirect access to any hostname or
IP address.

The name for an ISP intercepting traffic from its own users is not
"interference" or "DoS",
because they're breaking the operation of (er) only their own network.

The solution is to spread their name as widely as possible, so
consumers can make an informed
choice if they wish to avoid service providers that engage in abusive practices,
and bring it attention to regulators if the service providers are
acting as an abusive monopoly in regards to their interception
practices.

[snip]

Certainly, hijacking google.com NS records to JOMAX.NET would be a
criminal interference. After all, that's all DNSsec signed now,
isn't it?

I would rather see DNSSEC and TLS/HTTPS get implemented end to end.

how does tls/https help here? if you get sent to the 'wrong host'
whether or not it does https/tls is irrelevant, no? (save the case of
chrome and domain pinning)

The solution is to spread their name as widely as possible, so
consumers can make an informed
choice if they wish to avoid service providers that engage in abusive practices,
and bring it attention to regulators if the service providers are
acting as an abusive monopoly in regards to their interception
practices.

sadly, not everyone has a choice in providers

Well, actually, Chrome-like domain pinning and/or using DNSSEC to verify the
provenance of an SSL cert is the whiole reason Jimmy probably wants DNSSEC and
TLS...Unless you do that sort of stuff, there's no way to *tell* if you ended
up at the wrong host...

[snip]

Certainly, hijacking google.com NS records to JOMAX.NET would be a
criminal interference. After all, that's all DNSsec signed now,
isn't it?

I would rather see DNSSEC and TLS/HTTPS get implemented end to end.

They are.

The last thing we need is a court to step in and say "It's not legal
for an ISP to
blacklist, block, or redirect traffic, to any hostname or IP address."

Don't distort my words. It amuses me when so-called conservative
cyber-libertarians hate the idea of courts stepping in to enforce
laws, except the laws governing their own contracts enforcing
payments regardless of the quality of their goods.

The cable and satellite industry forced through digital protection
acts -- to protect their revenue streams. Now, it's time to use
those acts against them.

It's not legal for an ISP to modify computer data. Especially
digitally signed data. That's a criminal offense.

It's not legal for a vendor to sell or give away equipment that aids
interception and modification of data. That's a criminal offense.

Most likely the ISPs' lawyers were smart enough to include a clause
in the ToS/AUP allowing
the ISP to intercept, blackhole, or redirect access to any hostname or
IP address.

It's not legal to insert a clause allowing criminal conduct. There's
no safe haven for criminal conduct.

The name for an ISP intercepting traffic from its own users is not
"interference" or "DoS",
because they're breaking the operation of (er) only their own network.

No, they're breaking the operation of my network and my computers. My
network connects to their network.

The solution is to spread their name as widely as possible, so
consumers can make an informed
choice if they wish to avoid service providers that engage in abusive practices,
and bring it attention to regulators if the service providers are
acting as an abusive monopoly in regards to their interception
practices.

There are no choices. They *are* abusive monopolies.

Why are "regulators" better than courts?

After all, the regulators will also involve courts.

It's not legal for an ISP to modify computer data. Especially
digitally signed data. That's a criminal offense.

Citation?

Hint - a *big* chunk of ISPs have NAT deployed, and that's messing with packet
headers. Much as many of us would like to see NAT go away, I don't think we
want an environment where deploying NAT gets us a new roommate and best friend
named Bubba. Oh, and if you're not modifying the TTL field, you're Doing It
Wrong.

It's not legal for a vendor to sell or give away equipment that aids
interception and modification of data. That's a criminal offense.

Again, citiation?

Meanwhile, CALEA *requires* you to have a network that aids in at least
the interception of data. What's a poor ISP to do?

to paraphrase mo: "this will not scale" (you can't possibly pin
everyone that matters (to all users) inside the binary) It's a cute
intermediate trick until the CA problem is resolved/executed and
DNSSEC arrives in full (on the service AND client side).

-chris