[conspire] OpenDNS (was: DNS vulnerability details)

Rick Moen rick at linuxmafia.com
Tue Aug 5 01:49:09 PDT 2008 

I wrote:

> How can this be?  It doesn't actually exist, so shouldn't the correct
> response be NXDOMAIN?  Yes, but OpenDNS's business model requires that
> they break the RFCs.  

I should explain further, because the above objection makes it sound
like OpenDNS is merely violating a theoretical requirement of Internet
standards.  The question I failed to address is:  _Who gets hurt_, by
OpenDNS bending the rules in that fashion?

The biggest single problem is for anti-spam software, which very
commonly relies heavily on using the global DNS system to detect
non-existent domains/hostnames.  Suddenly, all of that functionality
breaks, and people's spam filters malfunction.

Essentially, OpenDNS's scheme, like that of Verisign's Sitefinder before
it, assumes the only Internet traffic that matters is what's served over
the Web.  I'm always amazed at how many people I talk to think this is
actually true -- though asking them "Have you ever sent or received
e-mail?" does garner a few double-takes.  ;->

O'Reilly Network asked BIND author Paul Vixie about this sort of thing,
back when the Sitefinder scandal was in the news:

  ORN: This change in policy by VeriSign seems to make antispam
  activists angry.

  PV: A lot more spam is getting through my outer defenses than used to.
  But that's not the only concern: the other registrars are concerned
  about monetization; ICANN is concerned about a big change in behavior
  for users; and standards zealots are just annoyed.

  Actually ICANN was consulted about a similar issue, that is, to limit
  this behavior to just internationalized domain names. ICANN advised
  against doing that, as did the IETF and the IAB. The ICANN and IAB
  advice about internationalized domain names would apply even more
  strongly to the use of wildcards.

  As for the standards zealots, the IANA has reserved a.com, b.com, and so
  on. They're not supposed to exist, but they now appear to exist. It's a
  small point of theory, but it angers some people.

  There are also privacy concerns. Think of other information carried in
  URLs with query strings, all of which ends up, if URLs are malformed, in
  VeriSign logs now. Such information may include passwords, logins, and
  other sensitive information. It wouldn't be sent anywhere if the domain
  name lookups would fail. You also have other branding concerns. If
  someone guessed at your domain name it would previously have just
  failed.

  ORN: Unless a typosquatter had it.

  PV: So now your brand becomes a typomagnet so that anyone who guesses
  your name and guesses wrong will end up at a VeriSign adserver. This
  produces the exact opposite result that most registrants want, which is
  to protect their brand. Furthermore, in an e-mail context, many errors
  that used to be benign are now fatal, like MX chain problems.

  ORN: Now you wouldn't go on down the chain of secondary and tertiary
  records.

  PV: Right. You'd send to the first one, the misconfigured one, because
  it wouldn't fail. VeriSign's running a mail server that bounces
  everything now.

  ORN: As far as we know, they're bouncing it. They could be keeping it.

  PV: That's another concern that's been expressed. They could be keeping
  a list of addresses. They could send out marketing messages, something
  like "You looked for this domain. It doesn't exist. Want to buy it?"

See:  `http://www.onlamp.com/pub/a/onlamp/2003/09/22/vixie.html


Vixie also commented directly on OpenDNS, back when that service was
initially launched, in 2006:

  > ...  In fact, I can't imagine a reason why you wouldn't use OpenDNS.
  > ...

  I'll provide four, off the top of my head.

  1. Because I use the [DNS] for things other than Web surfing.
  2. Because I need a reliable source of NXDOMAIN data.
  3. Because I want to keep DNS open to non-web applications.
  4. Because I don't want any central authority to see what Q's I'm
     asking.

  I realize that #1 and #2 marginalize me compared to the unwashed masses
  who think that the Web is the Internet or vice-versa, and just want
  their porn and their Myspace and so on.

  I realize that #4 also marginalizes me compared to the folks who use
  Google directly rather than sending their queries through proxies.
  You folks also probably use a frequent-buyer card at your supermarket,
  rather than using the phone numbers of random people to confuse the
  market research people.

  Bwt I do not think #3 marginalizes me at all.  I am surprised to see
  smart ethical folks who ordinarily see all the way to, and often beyond,
  the horizon, launch a service which depends for its revenue on a
  <cause,effect> tuple which will discourage new non-Web services from
  using DNS.

  Typosquatting is bad for the community, and it doesn't matter whether
  it's done with actual NS RRs, or things like TLD wildcards (a la
  Sitefinder) or in the recursive resolvers (like many ISP's now do, and
  now OpenDNS does).

  That having been said, if typosquatting is going to be done, OpenDNS
  is the best way to do it among the ways I've seen.  Kudos to davidu and
  his team for the quality of their implementation and the openness of
  their launch.

http://lists.oarci.net/pipermail/dns-operations/2006-July/000806.html

(That is, David Ulevitch is a nice guy and his firm's implementation of 
a bad idea is as technically sound and well administered as a bad idea
could be -- but it remains a bad idea.)

More at:
http://www.crunchnotes.com/2006/07/18/different-points-of-view-on-opendns/

More information about the conspire mailing list