[conspire] OpenDNS (was: DNS vulnerability details)
rick at linuxmafia.com
Tue Aug 5 01:49:09 PDT 2008
> How can this be? It doesn't actually exist, so shouldn't the correct
> response be NXDOMAIN? Yes, but OpenDNS's business model requires that
> they break the RFCs.
I should explain further, because the above objection makes it sound
like OpenDNS is merely violating a theoretical requirement of Internet
standards. The question I failed to address is: _Who gets hurt_, by
OpenDNS bending the rules in that fashion?
The biggest single problem is for anti-spam software, which very
commonly relies heavily on using the global DNS system to detect
non-existent domains/hostnames. Suddenly, all of that functionality
breaks, and people's spam filters malfunction.
Essentially, OpenDNS's scheme, like that of Verisign's Sitefinder before
it, assumes the only Internet traffic that matters is what's served over
the Web. I'm always amazed at how many people I talk to think this is
actually true -- though asking them "Have you ever sent or received
e-mail?" does garner a few double-takes. ;->
O'Reilly Network asked BIND author Paul Vixie about this sort of thing,
back when the Sitefinder scandal was in the news:
ORN: This change in policy by VeriSign seems to make antispam
PV: A lot more spam is getting through my outer defenses than used to.
But that's not the only concern: the other registrars are concerned
about monetization; ICANN is concerned about a big change in behavior
for users; and standards zealots are just annoyed.
Actually ICANN was consulted about a similar issue, that is, to limit
this behavior to just internationalized domain names. ICANN advised
against doing that, as did the IETF and the IAB. The ICANN and IAB
advice about internationalized domain names would apply even more
strongly to the use of wildcards.
As for the standards zealots, the IANA has reserved a.com, b.com, and so
on. They're not supposed to exist, but they now appear to exist. It's a
small point of theory, but it angers some people.
There are also privacy concerns. Think of other information carried in
URLs with query strings, all of which ends up, if URLs are malformed, in
VeriSign logs now. Such information may include passwords, logins, and
other sensitive information. It wouldn't be sent anywhere if the domain
name lookups would fail. You also have other branding concerns. If
someone guessed at your domain name it would previously have just
ORN: Unless a typosquatter had it.
PV: So now your brand becomes a typomagnet so that anyone who guesses
your name and guesses wrong will end up at a VeriSign adserver. This
produces the exact opposite result that most registrants want, which is
to protect their brand. Furthermore, in an e-mail context, many errors
that used to be benign are now fatal, like MX chain problems.
ORN: Now you wouldn't go on down the chain of secondary and tertiary
PV: Right. You'd send to the first one, the misconfigured one, because
it wouldn't fail. VeriSign's running a mail server that bounces
ORN: As far as we know, they're bouncing it. They could be keeping it.
PV: That's another concern that's been expressed. They could be keeping
a list of addresses. They could send out marketing messages, something
like "You looked for this domain. It doesn't exist. Want to buy it?"
Vixie also commented directly on OpenDNS, back when that service was
initially launched, in 2006:
> ... In fact, I can't imagine a reason why you wouldn't use OpenDNS.
I'll provide four, off the top of my head.
1. Because I use the [DNS] for things other than Web surfing.
2. Because I need a reliable source of NXDOMAIN data.
3. Because I want to keep DNS open to non-web applications.
4. Because I don't want any central authority to see what Q's I'm
I realize that #1 and #2 marginalize me compared to the unwashed masses
who think that the Web is the Internet or vice-versa, and just want
their porn and their Myspace and so on.
I realize that #4 also marginalizes me compared to the folks who use
Google directly rather than sending their queries through proxies.
You folks also probably use a frequent-buyer card at your supermarket,
rather than using the phone numbers of random people to confuse the
market research people.
Bwt I do not think #3 marginalizes me at all. I am surprised to see
smart ethical folks who ordinarily see all the way to, and often beyond,
the horizon, launch a service which depends for its revenue on a
<cause,effect> tuple which will discourage new non-Web services from
Typosquatting is bad for the community, and it doesn't matter whether
it's done with actual NS RRs, or things like TLD wildcards (a la
Sitefinder) or in the recursive resolvers (like many ISP's now do, and
now OpenDNS does).
That having been said, if typosquatting is going to be done, OpenDNS
is the best way to do it among the ways I've seen. Kudos to davidu and
his team for the quality of their implementation and the openness of
(That is, David Ulevitch is a nice guy and his firm's implementation of
a bad idea is as technically sound and well administered as a bad idea
could be -- but it remains a bad idea.)
More information about the conspire