What DNS Is Not

Scott Weeks surfer at mauigateway.com
Fri Nov 20 01:31:53 UTC 2009


--- andrew at accessplus.com.au wrote:
From: Andrew Cox <andrew at accessplus.com.au>

As a follow up to this, one of the large Australian ISP's has just 
introduced a DNS redirection "service" for all home customers.

"/The BigPond-branded landing page provides BigPond customers with 
organic search results, sponsored links, display advertisements and 
intelligent recommendations, all derived from the invalid domain input - 
much more helpful and friendly than a nasty 404 page error./"

http://www.crn.com.au/News/160923,bigpond-redirects-typos-to-unethical-branded-search-page.aspx
------------------------------------------------------------------------------



>From AUSNOG:


On Thu, Nov 19, 2009 at 2:08 PM, Paul Foote <pfoote at gmail.com> wrote:

    All that's left for them to complete the "404" strategy is to put transparent proxies in place that redirect on real 404's :P

    Did nobody learn the lessons from when Verisign did this with .com ? baah.


In fairness (and I use that term loosly) to BigPond, this is probably a little different to what Verisign did.

I haven't seen the BigPond details, but I have seen what Comcast are doing on my US cable connection, and I presume BigPond is doing something similar.

The major differences between the two are :
* Only responds for "www" addresses.  a lookup for "non-existantdomain.com" will still return an NXDOMAIN, but "www.non-existantdomain.com" returns their search page.  This means that (the majority of) things like RBL/anti-spam/etc things which broke under Verisign's redirection no longer break.
* It's only home users. Business plans/etc are not redirected.  Obviously this is different to Verisign where everyone was hit.
* You can turn it off, and the page you end up on even gives you the details on how to turn it off.

Also despite claims to the contrary, Comcast are not actually "intercepting" DNS traffic - or at least they aren't for me.  They are only doing this for traffic sent directly to their DNS servers, and pointing to another DNS server works as expected, as does running your own resolver.


I'm still not saying that it's a good thing for them to be doing, but it's not quite as bad or destructive as Verisign's move was...








More information about the NANOG mailing list