EarthLink Establishes Their Own "Site Finder"

Guppy06 writes "Last week, instead of a regular DNS error, EarthLink's DNS servers started to return a redirect to earthlink-help.net, a site that bears a close resemblance to VeriSign's much-maligned Site Finder, to their subscribers. According to their official blog at Earthling, "By presenting users with contextual help based upon the non-existent domain the user entered, we believe we are improving the EarthLink user experience with a system that will not interfere with other network processes." Most of the responses in said blog posting aren't positive."

this doesn't just affect HTTP

[keithmoore]

The biggest problem with this is not the ads (though they are annoying). This DNS hack doesn't just affect HTTP, it affects every application that does DNS queries. The claim that the system is configured to only handle NXDOMAIN HTTP traffic is a bald lie. There is no way for the DNS server to determine whether a query is being done for HTTP or for some other protocol.

When an application queries DNS for A records (IPv4 addresses) for a particular domain, one of three things should happen:
1. if there are A records for that domain, they should be returned
2. if there are no A records for that domain but there are other records, "no information" should be returned
3. if there are no records of any type for that domain, "no such domain" (NXDOMAIN) should be returned

What Earthlink's servers appear to be doing is the following:

1. if there are real A records for that domain, they are returned
2. if there are no A records for that domain, return A records for several hosts that don't belong to that domain.
if the application tries to talk HTTP to port 80 on any of those hosts and supplies the Host: query request
(standard in HTTP 1.1) the HTTP server will do a search for the domain that appears in the Host: request
and return HTML that suggests other domains that appear to be similar to the one given in the Host: request.
however if the application tries to talk to other ports on that machine it will get "connection refused" or
it will time out.

(the behavior is actually a bit more complicated than that. the behavior seems to be dependent on the IP address from
which the queries were made - so if you make the query to their servers from a host that isn't on Earthlink DSL
you will apparently get normal results. the behavior also seems to be dependent on the domain being queried.)

There are several things wrong with this behavior:

1. It's not reporting the error correctly. Applications that do DNS queries quite reasonably expect NXDOMAIN
to be returned if the domain does not exist, and "no information" to be returned if there are no records of
the type they're looking for - not a list of apparently valid IP addresses pointing to hosts that have nothing
to do with that domain. Many applications behave differently depending on the error condition. "connection
refused" and "connection timed out" are often treated as temporary errors - the application assumes that the
remote server is rebooting or isn't reachable and tries again later. "no such domain" is more often treated
as a permanent error, or one that requires immediate user attention. So this Earthlink change can cause
applications other than web browsers to behave improperly, or to give misleading error messages.

For example: if an email server is trying to send mail to someone at a particular domain, it will first do
a query for MX records to determine if there are any mail servers assigned to that domain. If the MX query returns
no answers, it may then issue a separate query for A records. If this happens the Earthlink DNS server will return
bogus A records and the email server will try to send the mail to Earthlink's servers rather than bouncing the mail
like it should. When Earthlink's servers refuse the connection, the email server will treat the condition as a
temporary error and retry at intervals for several days. As a result, mail for nonexistent domains (say, bounced
spam) can clog up the email server's queues and slow things down.

2. It is hiding other records associated with that domain. Say an application will

Re:Broken DNS Servers vs. Broken Web Caching

[XanC]

There's nothing fuzzy about what's actually happening. I can ping any random string of garbage and get a response. That's no Web-proxy problem; it's a fundamental breakage of DNS.