Some DNS Requests Ruled Illegal in North Dakota

jgreco writes "A judge in North Dakota has just ruled that requesting a zone transfer from a public DNS server is criminal activity within the meaning of the North Dakota Computer Crimes Law. A zone transfer is a simple request that a DNS server hand over information in bulk, and a DNS server may be configured to allow or deny such requests. That the owner of a DNS server would configure the server to allow such requests, and then claim such requests were unauthorized, is simply stunning."

Unbelievable

[Chrisq]

This in effect means that you cannot set up a secondary DNS server in North Dakota. Any ISPs in the state should probably relocate!

Re:Unbelievable

[MyLongNickName]

What is more unbelievable is that you'd take an article summary like this as being the gospel. More often than not, it is someone who hasn't really read the whole article, but wants to see his name on the front page of Slashdot. Dispense with a few facts, create some sensationalism, and the crack Slashdot editing team puts it up without fact checking.

Re:Unbelievable

[ari_j]

The article isn't much better. I think that it's going to be nothing but sensationalism unless someone gets ahold of the actual court documents.

Re:Unbelievable

[Sancho]

Geeks don't like this ruling, though, because it's not black-and-white. A geek think that if it's open on the Internet, it ought to be legal. If it asks for a password and you break in, it ought not be. Absent other means of gaining authorization, a request on the Internet implies a request for authorization, and a reply with the requested information from the server ought to imply authorization. The burden should be on the server operator to restrict or allow access, because on a pseudo-anonymous Internet, there's no other metric we can use. "Most of the time, the server operator wouldn't want this?"

Re:Unbelievable

[orclevegam]

In this case, the geek in question performed the DNS queries as part of an ongoing investigation into the spam activities of the ISP in question. This was not a case of someone with malicious intent, or even someone exploring for the sake of exploring, this was a computer professional attempting to track the source of some spam and to compile evidence against the spammer. In this regard he was acting more as a PI (I realize a PI is usually licensed by the state, but it's still close enough) in attempting to investigate something that if not directly a crime, is at least questionable.

If I was investigating you, and I came and knocked on your door saying "My car broke down, can I use your phone to call a tow truck?" and while inside your house used a hidden camera to take pictures, this would also be "not authorized", but in most states it's still perfectly legal, and you couldn't then turn around and try to sue me for trespassing.

The reason the judge ruled against the defendant in this case seems to have had a lot less to do with the merit of the case then it did several instances of the defendant giving false testimony, and in at least one case directly violating an order of the court. Essentially the judge was ticked at the guy, and that biased the case against him.

Re:Unbelievable

[Pollardito]

"Sir, a zone transfer is when you type 'dig google.com axfr'. It is a standard feature of the DNS protocol and software suite. The only way it can be abused is if it is left unprotected by the network administrator, much the same as a house can be abused if you leave your doors and windows unlocked." if you leave your doors and windows unlocked it's still a crime to "abuse" the house, it almost sounds like you're arguing that zone transferring is trespassing

Re:Unbelievable

[Richard_at_work]

Why the support on Slashdot for anti-spam laws then? If your smtp server accepts my connection and accepts the mail I subsequently send to you through that connection, how is this any different to the arguments posed elsewhere in this thread about public access services and presumed legality?

Re:Unbelievable

[SanityInAnarchy]

In all intended uses of a zone transfer,

Well, there's a problem right there. No one person knows all the intended uses of a zone transfer. I learned a new one today from a sibling post -- actually migrating DNS information to a new host, when switching service providers.

the secondary server is operated by the same party that operates the primary server.

*chokes on breakfast* ...what?

I've been using it for almost a year now, for dynamic DNS. It means I get to configure and run a real DNS server, and set it up exactly the way I like, and then, when I need to update the records on my real DNS servers (at zoneedit.com, dyndns.com, etc), I only have to change one setting -- the master host. This means that, for example, if I want to switch to another system, I don't have to learn a new API (or write one to crawl their website) that's much more complicated than a single POST request, updating which master server they should update from.

(Just been reading that zoneedit.com sucks, so I'm considering switching to dyndns.com, which honestly is pretty cheap, and their service which does zone transfers is cheaper than their service which has a web interface.)

That is to say: I operate the primary server, and the secondary and tertiary servers are operated by a third party, even if these secondary and tertiary servers are listed in my domain as primary and secondary servers. This is hardly unique to dynamic DNS -- it's also used in cases where there is a static IP, but you only want to maintain one server, and you (obviously) can't guarantee five nines of uptime on that server. So you pay someone to run a secondary DNS server.

A secondary intended purpose for zone transfers is to permit trouble shooting in which case zone transfers may sometimes be undertaken via the manually conducted host -l command. In those instances, however, the person conducting the diagnosis acts with the authorization of the operator of the system and is usually the network administrator for the system.

That's reasonable, but answer this: If I were to use the "host" command -- just "host", by itself, looking up MX records and such -- should I be worried about it being illegal? What about "whois" and such? There are plenty of times when it's reasonable to expect that a third party should run diagnostics -- such as when the first party is completely clueless, and needs to be told so.

Some other poster put it very clearly -- geeks generally believe that if you make a service public, it is public. It's certainly possible to limit zone transfers to the IP address of the secondary DNS server. This would not be an absolute protection, but it would at least show what the intent was.

This has been debated fairly often with respect to open wireless access points. What you have here is, according to the machine protocols involved, a machine shouting "Look at me! My name is LINKSYS, and I'm open! Just connect if you want to get online!" It is trivially easy, in most cases, to have it instead broadcast "My name is LINKSYS, and you'll need a password to connect!" Or, alternatively, to not brodcast at all -- to just sit in a corner until someone says, "Hey, LINKSYS! Let me connect!"

It's not quite that bad, but it's similar. "Hey, ns1.example.com! Would you mind telling me what all the subdomains of example.com are?" (There are legitimate reasons for doing this, too -- maybe I'm a spider, and I want to find web pages which aren't specifically linked to by www.example.com.) At this point, if ns1.example.com says "Sure! There's mail.example.com, and www.example.com, and, oh yeah, super.secret.stuff.example.com"... how is this your fault? If super.secret.stuff was really that secret, ns1.example.com could've left it out, or could've said "No, sorry, I'm not going to tell you."

The reason geeks w

Re:Unbelievable

and that's reason for the verdict to be overturned and the judge sacked and/or shot. They're there to rule on the facts of the case, not how they feel about the behaviour of the defendant in court - that's no better than ruling against someone because they wore jeans. Also, the violating of an order of the court should have been dealt with by another judge, how can you have the same person making the accusation as doing the judging? That's a defining characteristic of a kangaroo court!

Re:Unbelievable

[Yottabyte84]

This is one way to deal with it:


$ telnet mailin-01.mx.aol.com 25
Trying 205.188.159.57...
Connected to da.mx.aol.com.
Escape character is '^]'.
220-rly-da05.mx.aol.com ESMTP mail_relay_in-da05.2; Thu, 17 Jan 2008 13:03:52 -0500
220-America Online (AOL) and its affiliated companies do not
220- authorize the use of its proprietary computers and computer
220- networks to accept, transmit, or distribute unsolicited bulk
220- e-mail sent from the internet. Effective immediately: AOL
220- may no longer accept connections from IP addresses which
220 have no reverse-DNS (PTR record) assigned.


All geeks are required to hate spam. It's in the by-laws, go check.

Re:Unbelievable

[cas2000]

actually, in this analogy, the zone transfer request is more like knocking and asking "can i come in?" (i.e. "can i have this zone file?").

if the DNS server is left in default configuration, then the answer is "No, you can't have it".

if the DNS server is deliberately reconfigured to allow the transfer, then the answer is "Yes, here it is".

so this ruling is the equivalent of successfully having someone convicted of trespass after you've given them permission to enter.

Re:Unbelievable

[Phoenix+Rising]

Two reasons:
1) The disclaimer that anti-spam admins install saying that spam isn't allowed, but more importantly
2) The excessive abuse of system resources and user time.

Requesting a zone transfer isn't terribly abusive in terms of bandwidth (unless you're requesting a zone transfer from IBM or a fully-populated Class A in-addr.arpa zone...), and it takes no permanent resources. A mechanism exists and is in standard use to prevent unauthorized access.

With spam, its cumulative effect is terribly wasteful of bandwidth, it takes significant storage resources, and with the use of anti-spam software, it also takes valuable CPU resources. Furthermore, with the existence of the Presto service and other similar e-mail to printer gateways, it runs afoul of the anti-fax laws (the intent of which was to prevent others from "spending your money" in an abusive manner). Unlike DNS servers, the functional configuration of an SMTP server is to accept e-mail by default; no other configuration is functionally useful for a vast majority of cases, nor can spam be blocked before or during delivery without extensive analysis (and then unreliably).

A DNS server is, as some people have analogized, like a club - private, but with a public interface. The owner can choose to lock the door or only admit certain people. An SMTP server is more like a phone line - anyone can call, but harassing calls and unsolicited calling in violation of the do-not-call laws are forbidden despite the open access.

consequence of bad computer crime laws

[j0nb0y]

Most states have computer crime laws that pretty much say this: It is illegal to access a computer that you are not authorized to access.

This basically means that if you don't have written permission to access a computer, you can't access it legally.

So everyone who uses computers breaks the law, and the law is only truly defined by who prosecutors decide to prosecute.

This state of affairs is completely ridiculous, but unless you find a tech savvy Judge, the situation is unlikely to be changed through the courts.

Re:consequence of bad computer crime laws

[mcvos]

By this reasoning, looking at a website without written permission of the webmaster would be illegal too. The Judge has basically declared the internet illegal.

Re:consequence of bad computer crime laws

[morgan_greywolf]

It IS completely ridiculous. I doubt very much that OSDN or SourceForge (or whatever they're called this week) wants to have to give explicit permission to each and every user on Slashdot, but that's what it appears to have come to because judges are techno-illiterates.

If a service is running on a machine connected to the Internet and that service is obviously not secured, then the only thing that can be assumed is that permission to use that service is implicitly granted, especially in absence of notices stating otherwise.

IOW, if you run a Web server on port 80 and require no authentication, then it can be easily assumed that you intend to publish any materials served via the Web server to the public Internet -- you expect people to access it.

Ditto if you run a DNS service that allows zone transfers to all comers -- you expect that DNS zone transfer will occur and no one will need permission from you to do so.

To rule otherwise is nothing but pure stupidity.

Re:consequence of bad computer crime laws

[CastrTroy]

The act of putting up a website (or any other internet server) on the public internet should be enough to say the operator of the server gave you permission to access it. If you don't want people accessing your server, at least put a password on it for basic access control, or if it requires more security, than put it behind a VPN/Firewall box.

Re:consequence of bad computer crime laws

[strangel]

The reason people say that a judge declared something illegal is that in order for there to be consequences in such a case, there must be a trial. A trial will always go through a judge, so a judge always has to interpret the law. Part of this interpretation depends upon past precedent...therefore it is possible that if the next judge isn't bright enough to recognize a bad precedent when he/she sees one, he/she will follow the precedent. This further strengthens the precedent for later cases.

Re:consequence of bad computer crime laws

[parnasus]

If a service is running on a machine connected to the Internet and that service is obviously not secured, then the only thing that can be assumed is that permission to use that service is implicitly granted..

This kind of law would actually err the OTHER way, in that any vulnerability in a system which exposes a service to the Internet could be construed as giving permission. With the number of drive-by-downloads, no one can say HOW that service got installed/started on the system, but once it's there, there is no deterrent to prevent anyone from being able to take advantage of the resources which have been "... implicitly granted ..." on a "... service [which] is obviously not secured."

Both versions presented are draconian in their scope. Some formulation of intent needs to be incorporated into the law or it will be as effective as legislating that water is no longer wet.

Re:consequence of bad computer crime laws

[roggg]

Does an improperly configured mail server invite relay abuse? Does an unsecured FTP server imply everyone's free to download whatever is on it, or offer consent for the public to upload stuff for temporary storage for later distribution to their buddies? Well, aside from your use of the word "abuse", I would say the answers could reasonably be "yes" and "yes". There is no such thing as an improper configuration. (Okay, well, there is, but that's not what we're talking about here.) A server may be misconfigured with regards to the intended configuration, but how am I supposed to know that? Open servers are a valid and possibly intended configuration. It shouldn't be up to me to guess the intent of the network administrators, especially when it comes to an ISP. Shouldn't an ISP of all entities have the knowledge to properly configure their own network? Why wouldn't I assume open servers are open by intent.

Re:DNS illegal now? Read again.

[tgd]

See this is why we need a (-1 Informative) moderation... because clearly from the tone of the post and the the majority of the replies, rational response is not the goal of this story submission.

Computer systems vs human systems

[mlwmohawk]

What I find interesting is that "computer systems" i.e. networks, disk drives, files, etc. ae well understood by us computer folk. What is "obvious" to us has come from a lot of experience and learning. More over, in constructing things like the internet, we develop a lot of "rules" that make sense within this context.

In the non-nerd world, a lot of the rules created by us nerds run afoul of what most people expect. DNS is a perfect example. To us, it is MADE to serve data. If you put data into DNS, you've made it public. To the rest of the world, however, that doesn't make sense. Its the same issue with HTTP. We see putting stuff on a web site as making it public, but non-nerds see things like deep linking a violation of their site because it does not promote the interaction they expect (viewing ads etc.) and have invested in. To them, you are circumventing their revenue model.

I'm not 100% sure we're 100% right. I don't think we are wrong in our views, but I see the gray area between the two.

Re:Computer systems vs human systems

[pla]

I'm not 100% sure we're 100% right

Since we made the whole damned ball of wax for our own amusement, and Joe Public decided to tag along for the free porn, I'd have to say that yes, only the geek interpretation matters. Joe can thank us (as can the Hunters of Commerce who hungrily stalk Joe and his kind), but his "interpretations" of the scenario simply do not matter.

If you don't understand the rules of poker and try to play, you'll go home shirtless. The same idea applies here. If they want into our game, they'd damned well better learn the rules before playing for anything more than token plastic chips.


The only "crime" here results from a judge who doesn't understand that DNS servers exist to serve, unless told otherwise (a not difficult task). Yes, you could say the defendant "harassed" the company - Which the company could have stopped with one line in a config file.

Re:Why am I not suprised?

[plover]

That's not at all true. The judges I've had dealings with have been damn smart people.

What you're forgetting is that in most court cases, the defendant is there for one of two possible reasons: they really weren't responsible, or they were responsible but are now lying about it. And the plaintiff or complainant is there to make sure something "legal" happens in their favor, and they're not above lying to get their desired outcome, either. Usually there's a lot of both. That means the judges are professionally sitting at the mouth of a never ending river of bullshit, and they have to keep control of the situation.

It's not that judges can't or refuse to understand the technology; it's that the cases are about the people, which is where their focus must remain. The computer didn't act of its own accord. It operated under the direction of its owner. The question of "was there malicious intent?" has nothing to do with DNS or any other logic-based technology and everything to do with the two guys standing in the courtroom.

Re:Facts from the ruling

[codefool]

It's more like dressing up like a repairman, going through the unlocked gate, the unlocked door, and raiding the unlocked refrigerator. He clearly took all precautions to not be detected and this passes the "walks like a duck" test. His past behavior and public admissions did not help his case. While I wish all the court documents were available, I've read the finding of fact and law and I agree with it. He dug himself a deep hole and now he can't climb out of it.

Re:DNS illegal now? Read again.

[squiggleslash]

What's absolutely hilarious about this are the number of replies to this article complaining about "clueless" Judges who "don't understand the issues" and aren't prepared to "read the evidence" right in front of them. Uh-hum. Because all you guys did, right?

A human analogy

[oz1cz]

I can lock my house, but even if I do not do so, you will still be trespassing if you enter my house.

Re:Facts from the ruling

[squiggleslash]

Well, the ruling's more like being told that you can't enter a shop that happens to have a door unlocked at the front after you've repeatedly entered it and been told explicitly to go away because the shop's not open yet.

Re:beware

[cheater512]

Regular DNS lookups will be illegal next if the law keeps going down hill like this.

Maybe I'll patent that idea....

Your example is wrong

[thejuggler]

Even if I did leave my doors and windows unlocked anyone that entered without my person would be doing so illegally and subject to my wrath.


--
Just because the door is unlocked does not mean you have permission to enter.

Re:Your example is wrong

[j-pimp]

Just because the door is unlocked does not mean you have permission to enter.

Well look at it this way. If I walk into a laundromat and there is no attendant on duty I would not consider myself trespassing. No reasonable person would. I've been to laundromats without attendants on duty. I assume someone opens them up ion the morning, locks them up in the evening and periodically comes buy to refill the vending machines and the like.

If I am a reasonable person on the internet, and a server responds to a zone transfer request, I expect that I am authorized to look at this information,

Re:Your example is wrong

[Skreems]

This is more like walking up to someone, asking them if you can have 10 dollars please, and being arrested for theft when they willingly give it to you.

Re:Your example is wrong

[ultranova]

Even if I did leave my doors and windows unlocked anyone that entered without my person would be doing so illegally and subject to my wrath.

True, because entering someone's home without the owner's explicit permission is not part of expected procedure. A more appropriate analogue would be to leave the doors to a shop unlocked during normal business hours and complaining that the people who step inside are trespassing; this correctly captures the idea that the whole purpose of a DNS server is to answer incoming queries.

Re:DNS illegal now? Read again.

[Pharmboy]

This is *exactly* why I wish moderators could moderate the actual Slashdot article. Not digg style free for all, but I would used one of my mod points (dont have today) to push it off the front page into the "another stupid article that the slashdot editors didn't look at very well" pile. Getting more of those in the last year...

"Your example is wrong" is wrong.

[roggg]

Your DNS server is not your house. It's your store. Yes, it's private and belongs to you, but it has a public interface. People walk into your store when it's unlocked because the door is the public interface, and the lock on the door is how the owner meters or controls access. DNS servers are much the same. They serve up a public interface. Making a DNS request of an open server should be no more illegal than walking into the 7/11. If they don't lock it, how am I supposed to know it's closed?

Re:Purpose is important to the law.

[Bert64]

Potentially it is, it's vigilante justice and legally should be left to the police (not that they will actually be capable of doing so).