What DNS Is Not
James Hess
mysidia at gmail.com
Fri Nov 27 03:57:46 UTC 2009
On Wed, Nov 25, 2009 at 2:58 PM, Jorge Amodio <jmamodio at gmail.com> wrote:
[snip]
> What needs to be done to have ISPs and other service providers stop tampering
> with DNS ?
Well, NXDOMAIN substitution, on ISP provided DNS servers, is not
"tampering with DNS", anymore than spam/virus filtering/attachment
limits, disk quotas, or message expiration on ISP mail servers is
"tampering with E-mail",
It's ISPs providing their customers with a modified service. Their DNS
resolvers, their terms. They _could_ accomplish similar by
requiring all their customers utilize a custom web browser, but
that would be less convenient.
"Tampering with DNS" would be hijacking port 53 UDP packets a
customer sent directly to an outside authoritative DNS server, and
substituting their own answer.
That would be very harmful, especially if the ISP customer is
attempting to troubleshoot a DNS issue...
Just because someone registered EXAMPLE.COM with one particular
internet registry, doesn't mean they own the lookup result for every
DNS server in the world. All they have paid for is the creation
and maintenance of entries in one particular shared database, and
they only have control for the (large) subset of DNS servers that
utilize that particular database.
People can start new DNS roots, old DNS roots can be superceded,
there can even be multiple conflicting private roots.
In the long run, the only method to discourage might be a form of blacklisting.
If major DNS hosting providers discriminate in the authoritative
replies they give, based on asker:
*If the IP asking for a DNS record is in the IP range of an ISP that
you know substitutes NXDOMAINs with their own reply, then you
discriminate against that DNS query source, and don't give them
NXDOMAINs.
*Why hand them a NXDOMAIN response that they will just substitute?
If major DNS providers barred the ISP's overall range from getting
any NXDOMAIN replies from the authoritative nameservers, then the
ISP would derive no benefit from substituting them, since their
acts caused them to be deemed unfit to receive NXDOMAIN responses at
all.
In addition, their now lack of ability to get NXDOMAIN responses,
could be an inconvenience to them, esp. in the operation of mail
servers, since latency of certain mail server DNS requests will
increase, due to the delay to time out the query (that would be
NXDOMAIN if they were allowed to receive NXDOMAIN).
*That is: always reply SERVFAIL or send no reply to such blacklisted
IP ranges, when the database entry doesn't exist, instead of NXDOMAIN.
However, it doesn't really penalize the NXDOMAIN substitution
practice too much, unless the root and TLD servers also implement
the blacklisting, it only deprives them of benefit.
--
As for ccTLDs performing wildcarding, One could consider patches to
recursive resolvers to detect the IPs that are wildcarding,
and substitute responses detected as the wildcard host IP addresses,
with NXDOMAIN.
For example, randomly generate 2 test lookups for domains that
are unlikely to exist, eg afut429.ahfeai4728.xyz.xx .
If both randomized lookups return A record responses for the
same IP addresses, then you detected the wildcard method used
by that ccTLD.
Substitute NXDOMAIN in for any responses for the ccTLD that
respond with the same list of A records.
In other words: retaliating against NXDOMAIN substitution, by
substituting response with those IPs back to NXDOMAIN.
--
-J
More information about the NANOG
mailing list