What DNS Is Not

James Hess mysidia at gmail.com
Thu Nov 26 21:57:46 CST 2009

On Wed, Nov 25, 2009 at 2:58 PM, Jorge Amodio <jmamodio at gmail.com> wrote:
> What needs to be done to have ISPs and other service providers stop tampering
> with DNS ?

Well, NXDOMAIN substitution,  on ISP provided DNS servers, is not
"tampering with DNS",  anymore than  spam/virus filtering/attachment
limits, disk quotas, or message expiration  on ISP mail servers  is
"tampering with E-mail",

It's ISPs providing their customers with a modified service. Their DNS
resolvers,  their terms.      They  _could_   accomplish  similar  by
requiring all their customers  utilize a   custom  web browser,   but
that would be less convenient.

"Tampering with DNS"  would  be hijacking port 53 UDP packets a
customer sent directly to an outside authoritative DNS server,  and
substituting their own answer.
That would be very harmful,  especially  if  the ISP customer is
attempting to troubleshoot a DNS issue...

Just because someone registered  EXAMPLE.COM   with one particular
internet registry, doesn't mean they own the lookup result for every
DNS server in the world.     All they have paid for is the creation
and maintenance of entries in one particular shared database,   and
they only have control for the (large) subset of DNS servers that
utilize that particular database.

People can start new DNS roots,  old DNS roots can be superceded,
there can even be multiple conflicting private roots.

In the long run, the only method to discourage might be a form of blacklisting.
If  major DNS hosting providers discriminate in the authoritative
replies they give, based on asker:

*If the IP asking for a DNS record is in the IP range of an ISP that
you know substitutes NXDOMAINs with their own  reply,    then you
discriminate  against that DNS query source, and don't give them

*Why hand them a NXDOMAIN response that they will just substitute?

If major DNS providers barred the ISP's overall range  from getting
any NXDOMAIN replies from the  authoritative nameservers,   then the
ISP would derive no benefit from substituting them,    since  their
acts caused them  to be deemed unfit to receive NXDOMAIN responses  at

In addition, their now lack of ability to get NXDOMAIN  responses,
could be an inconvenience to them,  esp.  in the operation of mail
servers,   since  latency of  certain  mail server DNS requests will
increase,  due to the delay to time out the query  (that would be
NXDOMAIN if they were allowed to receive NXDOMAIN).

*That is: always reply SERVFAIL  or send no reply to such blacklisted
IP ranges, when the database entry doesn't exist, instead of NXDOMAIN.

However, it  doesn't really penalize the  NXDOMAIN substitution
practice too much,  unless the root and TLD servers also  implement
the blacklisting,  it only deprives them of benefit.

As for  ccTLDs  performing wildcarding,  One could consider patches to
recursive resolvers   to  detect    the  IPs  that are wildcarding,
and substitute  responses detected as the wildcard  host IP addresses,
 with  NXDOMAIN.

For example,   randomly generate  2  test lookups    for domains that
are unlikely to exist, eg     afut429.ahfeai4728.xyz.xx  .
If  both  randomized lookups  return  A record responses   for the
same IP addresses,    then  you detected  the  wildcard  method  used
by that ccTLD.

Substitute  NXDOMAIN  in  for any responses for the ccTLD  that
respond with the same list of A records.

In other words:   retaliating against NXDOMAIN substitution,  by
substituting response with those IPs  back to NXDOMAIN.


More information about the NANOG mailing list