As a follow up to this, one of the large Australian ISP's has just
introduced a DNS redirection "service" for all home customers.
"/The BigPond-branded landing page provides BigPond customers with
organic search results, sponsored links, display advertisements and
intelligent recommendations, all derived from the invalid domain input -
much more helpful and friendly than a nasty 404 page error./"
http://www.crn.com.au/News/160923,bigpond-redirects-typos-to-unethical-branded-search-page.aspx
Hi,
Quoting Scott Weeks <surfer@mauigateway.com>:
From AUSNOG:
All that's left for them to complete the "404" strategy is to put transparent proxies in place that redirect on real 404's
Telefonica is doing that here, and not onlw for www. hostnames...
# nmap nonexist.merit.edu.
Starting Nmap 4.68 ( http://nmap.org ) at 2009-11-19 23:44 ARST
Interesting ports on smartbrowsebr-mx.terra.com (208.70.188.15):
Not shown: 1712 filtered ports
PORT STATE SERVICE
80/tcp open http
554/tcp open rtsp
1755/tcp open wms
Nmap done: 1 IP address (1 host up) scanned in 28.324 seconds
Cheers,
Eduardo.-
Hi,
Quoting Scott Weeks <surfer@mauigateway.com>:
>> From AUSNOG:
>
>
>
> All that's left for them to complete the "404" strategy is to
> put transparent proxies in place that redirect on real 404's
>Telefonica is doing that here, and not onlw for www. hostnames...
# nmap nonexist.merit.edu.
It would be intersting to see what would happen if MERIT issued a
cease and decist request for using their domain name without
permission.
Scott,
If you're going to blatantly copy what others have written on another
mailing list, please at least have the common decency to attribute it to the
original author, and/or get the original authors permission first.
Scott.
Telefonica is doing that here, and not onlw for www. hostnames...
# nmap nonexist.merit.edu.
It would be intersting to see what would happen if MERIT issued a
cease and decist request for using their domain name without
permission.
That's really bad, because by doing that they could redirect things
like hardcoreporn.merit.edu creating huge liability for the rightful
admin of any domain name without them knowing.
This will not stop until a big pocket corp sends the legal dogs
for hunting.
Regards
Jorge
Quoting Mark Andrews <marka@isc.org>:
It would be intersting to see what would happen if MERIT issued a
cease and decist request for using their domain name without
permission.
well they can sue them in the US...
# traceroute 208.70.188.15
traceroute to 208.70.188.15 (208.70.188.15), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 so-1-1-0-0-grtbueba2.red.telefonica-wholesale.net (213.140.51.73) 3.913 ms 3.911 ms 3.905 ms
14 Xe7-3-0-0-grtlurem4.red.telefonica-wholesale.net (213.140.49.18) 58.677 ms Xe8-0-0-0-grtlurem4.red.telefonica-wholesale.net (213.140.49.6) 59.780 ms Xe11-0-0-0-grtlurem4.red.telefonica-wholesale.net (213.140.36.150) 59.784 ms
15 Xe8-3-0-0-grtmiabr5.red.telefonica-wholesale.net.126.142.94.in-addr.arpa (94.142.126.113) 129.878 ms 129.878 ms Xe5-1-3-0-grtmiabr4.red.telefonica-wholesale.net (84.16.15.62) 130.615 ms
16 P9-0-0-0-gramiatc2.red.telefonica-wholesale.net (213.140.37.201) 131.945 ms 131.942 ms 131.936 ms
17 84.16.6.150 (84.16.6.150) 129.855 ms 129.850 ms 129.838 ms
18 tdcsdr11-vl-3.mia1.ustdata.net (66.119.65.19) 130.774 ms 130.761 ms 130.754 ms
19 terra-g-3-1-dsw01-mia.tc.terra.com (66.119.71.2) 130.724 ms 130.724 ms 130.719 ms
20 bsw01a-mia.tc.terra.com (208.70.191.245) 134.385 ms 135.200 ms 135.189 ms
21 bsw01a-mia.tc.terra.com (208.70.191.245) 127.450 ms 127.455 ms 127.451 ms
Eduardo.-
Paul's article "What DNS Is Not" published in December's Issue of Communications
of the ACM.
Also ICANN publishes memorandum about Harms and Concerns Posed by
NXDOMAIN Substitution:
http://www.icann.org/en/topics/new-gtlds/nxdomain-substitution-harms-24nov09-en.pdf
What needs to be done to have ISPs and other service providers stop tampering
with DNS ?
Cheers
Jorge
Paul's article "What DNS Is Not" published in December's Issue of Communicati
ons
of the ACM.Also ICANN publishes memorandum about Harms and Concerns Posed by
NXDOMAIN Substitution:http://www.icann.org/en/topics/new-gtlds/nxdomain-substitution-harms-24nov09-
en.pdfWhat needs to be done to have ISPs and other service providers stop tampering
with DNS ?
Sign your response (DNSSEC). That makes it abundently clear that
you don't want your answers to be tampered with.
Send cease-and-desist letter for all namespaces you own, to all ISP
that you are aware of that are doing this. Followup if they fail
to take corrective action.
Mark
Some options:
Contact your local, state and federal legislators and convince them it's in
the public interest for them to draft legislation to outlaw this practice -
and hope among all hope that the end result resembles something technically
benevolent.
Contact ICANN/IANA and plead with them to stop assigning any more resources
to said ISP.
Publicize what said ISP is doing and let its customers decide if it's a
significantly deplorable enough practice for them to find another ISP.
And what is needed to have a consistant 'whois' reporting format 
Keeping adding to the list?
Hi,
What needs to be done to have ISPs and other service providers stop
tampering with DNS ?Some options:
Contact your local, state and federal legislators and convince them it's in
the public interest for them to draft legislation to outlaw this practice -
and hope among all hope that the end result resembles something technically
benevolent.
Do we really want big brother sniffing around ? What about net neutrality ?
Contact ICANN/IANA and plead with them to stop assigning any more resources
to said ISP.
ICANN has no contractual relationship with the service providers abusing the
DNS, but a far reaching idea could claim ICANN responsibility and commitment
to preserve and enhance the operational stability, reliability,
security, and global
interoperability of the Internet, stated in one of its core values on
its bylaws.
Publicize what said ISP is doing and let its customers decide if it's a
significantly deplorable enough practice for them to find another ISP.
Well Time Warner/Road Runner does it at least here in San Antonio, at least
the don't filter DNS traffic if you choose to use other name servers and don't
have a nasty proxy like the guys from Telefonica in Argentina.
Anyway some of this nasty behavior will go away when as Mark said
DNSSEC is fully deployed (someday).
Regards
Jorge
>> What needs to be done to have ISPs and other service providers stop
>> tampering with DNS ?
>
> Some options:
>
> Contact your local, state and federal legislators and convince them it's in
> the public interest for them to draft legislation to outlaw this practice -
> and hope among all hope that the end result resembles something technically
> benevolent.Do we really want big brother sniffing around ? What about net neutrality ?
It's fraud, theft or both. The ISP's doing this don't own these
names and they are pretending to be someone they are not. Just
because lots of them are doing it doesn't make it right. You should
be able to go to your local police and report this and have action
taken.
Indirectly they're responsible for assignment of IP address, enterprise
numbers, domain names etc. Of course you're not going to get very far with
that approach.
My point was there isn't really an authority to enforce rules on ISPs when
it comes to how they manage their DNS servers. Government and IANA
won't be interested in fielding such complaints. Shining a flash light
on the problem publicly is going to be the best best.
Jorge Amodio <jmamodio@gmail.com> writes:
What needs to be done to have ISPs and other service providers stop
tampering with DNS ?
we have to fix DNS so that provider-in-the-middle attacks no longer work.
(this is why in spite of its technical excellence i am not a DNSCURVE fan,
and also why in spite of its technical suckitude i'm working on DNSSEC.)
<What DNS Is Not - ACM Queue; lays out this case.
any more....
--bill
Hi,
Contact ICANN/IANA and plead with them to stop assigning any more resources
to said ISP.ICANN/IANA doesn't assign resources to ISPs.
Indirectly they're responsible for assignment of IP address,
In the sense that they allocate /8s (and, in IPv6, /12s) to the RIRs, sure. I'm just guessing but I don't think the RIRs would be very happy if ICANN/IANA were to refuse to allocate a /8 (or a /12) to an RIR because one of the RIRs' customers was hijacking NXDOMAINs.
enterprise numbers,
Actually, ICANN/IANA assigns these directly (see http://pen.iana.org), but I suspect the folks in the IETF would get a bit distressed if ICANN/IANA started imposing restrictions on who could get PENs.
domain names
ICANN/IANA is directly responsible for (and has contractual relationships with folks who operate) gTLDs and has, to the distress of some folks on this list, imposed restrictions on wildcards/synthesis/etc. ICANN/IANA discourages wildcards/synthesis/etc for ccTLDs, but the operation of a ccTLD is considered a national sovereignty issue and thus, ICANN/IANA has no way to do anything other than point out the problems wildcards/synthesis/etc. can lead to. As I write this, there are 11 ccTLDs that do wildcards/synthesis/etc. and there will undoubtedly be more in the future. ICANN/IANA has no interaction with, much less control, over ISPs.
My point was there isn't really an authority to enforce rules on ISPs when
it comes to how they manage their DNS servers.
Yep.
Government and IANA won't be interested in fielding such complaints.
Government might -- politicians like to be seen solving problems, even if they haven't the slightest idea what the problem is, whether it actually is a problem, or how to go about fixing it.
With the exception of the gTLDs, ICANN/IANA simply can't -- it has no mechanism to do anything other than wag its finger.
Shining a flash light on the problem publicly is going to be the best best.
There are folks on this list who work for ISPs which are doing wildcards/synthesis/etc. They (or, more likely their management) can tell you there are obvious business reasons why they do wildcards/synthesis/etc. Perhaps I'm overly cynical, but I suspect that until those business reasons go away, shining a flash light will probably just result in more ISPs implementing wildcards/synthesis/etc.
Regards,
-drc
As you know, as long as people rely on their ISPs for resolution services, DNSSEC isn't going to help. Where things get really offensive if when the ISPs _require_ customers (through port 53 blocking, T-Mobile Hotspot, I'm looking at you) to use the ISP's resolution services.
Regards,
-drc
From: David Conrad <drc@virtualized.org>
Date: Thu, 26 Nov 2009 07:42:15 -0800As you know, as long as people rely on their ISPs for resolution
services, DNSSEC isn't going to help. Where things get really offensive
if when the ISPs _require_ customers (through port 53 blocking, T-Mobile
Hotspot, I'm looking at you) to use the ISP's resolution services.
the endgame for provider-in-the-middle attacks is enduser validators, which
is unfortunate since this use case is not well supported by current DNSSEC
and so there's some more protocol work in our future ("noooooooooooo!!").
i also expect to see DNS carried via HTTPS, which providers tend to leave
alone since they don't want to hear from the lawyers at 1-800-flowers.com.
(so, get ready for https://ns.vix.com/dns/query/www.vix.com/in/a&rd=1&ad=1).
* Jorge Amodio:
What needs to be done to have ISPs and other service providers stop tampering
with DNS ?
First, stop calling it "NXDOMAIN rewriting". These guys are rewriting
everything they want, so that they can respond to your search queries,
or serve different ads to you.
Then try to opt out of rewriting for your own domains, asking the
offenders to stop doing it in your namespace, and if that doesn't
help, use the court system. Fight your own fights, and don't expect
others to do it for you. (Oh, in case you wonder---I can't, because
in Germany, registering a domain name does not grant you rights to
that name, even if you've been using it for quite a while.)
