Paul Vixie On What DNS Is Not

CowboyRobot writes "Paul Vixie (AboveNet, ARIN, ISC, MAPS, PAIX) has a fresh rant titled What DNS Is Not about the abuses of the Domain Name Server system. 'What DNS is not is a mapping service or a mechanism for delivering policy-based information. DNS was designed to express facts, not policies. Because it works so well and is ubiquitous, however, it's all too common for entrepreneurs to see it as a greenfield opportunity ... a few years ago VeriSign, which operates the .COM domain under contract to ICANN, added a "wild card" to the top of the .COM zone (*.COM) so that its authoritative name servers would no longer generate NXDOMAIN responses. Instead they generated responses containing the address of SiteFinder's Web site — an advertising server.'"

them dollar

Well Paul, in this world it all depends on how much money you throw at it.

not only Verisign

[Tom]

Many ISPs do it as well. Right now, my ISP does it, even though I've opted out. Maybe one of these days I'll sue them.

Maybe it's time that the Internet standards get a few clauses added that express these concepts explicitly. Like what Paul said about DNS. A clause like "a nameserver MUST responde truthfully, if technically possible. DNS responses MUST NOT be modified in any way for political, economic or business reasons."

Then these fucked up ISPs would at least be in violation of a standard, which might give me what I need for a violation-of-contract suit.

Remember: These changes are often invented by marketing and then pushed through even against the explicit protest of the technology people.

Re:not only Verisign

[ChipMonk]

When your ISP gives you DNS server addresses in your paperwork...

When your ISP gives you name(s) for POP3 service (and maybe NNTP also), rather than addresses, and those names are within the ISP's domain...

Then a working DNS, administered by the ISP, is part of the service. Without it, the ISP is unable to offer the services stated to their customers in their paperwork.

Yes, maybe it's contracted out. But that doesn't change the ISP's responsibility to its customers, or its liability when service fails.

Re:not only Verisign

[rcolbert]

I think there's a reasonable expectation that when you attempt to resolve 'foo.com' through the domain name system, that you are returned an address that was in fact registered properly as 'foo.com' using the accepted methods for doing so. I think there's a reasonable expectation when you use the DNS protocol that protocol compliance is expected. Substituting a DNS query response with an IP address that is not registered under the name queried breaks protocol and is fraudulent. The fact that in the use case described the activity is for merely annoying advertising is somewhat beside the point. By participating in DNS your ISP is part of the Internet, and certain standards should be upheld. If your ISP wants to run a private namespace they should either sell it as such or make it obvious that it's not the world wide domain name system we all expect it to be.

Re:not only Verisign

[mindstrm]

IT's not a problem per-se - but everyone running a caching DNS server on their PC, because they can't trust the ISP, while seemingly beneficial now, has problems in theory down the road. The point of an ISP having a caching nameserver is so that queries get cached closer to home, and for a larger segment of the network. If *every* end client had their own full caching nameserver, rather than relying on a heirarchy, we'd have a tragedy of the commons, and the load on the authoritative servers would go way, way up.

If network operators stuck to not interfering with DNS, and used it as intended, people wouldn't see the need to work around (and potentially, eventually, invalidate) the model.

Don't be a baby!

[iYk6]

So he must stop advising a board who makes decisions that he disagrees with? Yeah, that will solve problems. Everyone should only advise people who were going to make the decisions that the adviser was going to advise anyway. That way, all advisers are useless. And then ... what exactly is your end goal in making advisers useless?

Some people do resign from boards when the board repeatedly makes decisions that the adviser does not approve of. The rejection just gets to be too much for them, and so they quit. It is understandable, but the board suffers when the range of opinions decreases.

Basically, AC, people you work with will make decisions you disagree with. It is important that you put of with it, and not be a big baby.

Re:Don't be a baby!

[shentino]

There is something to be said for not wasting your advice on a company that refuses to take it, especially when someone else can put your time to better use.

If the company is going to sink with or without your help, you may as well jump ship and rescue someone else instead of going down with them.

If I'm a consultant, I'm aware that my knowledge, and consequently, time, is a valuable resource. I'm not going to take a lot of crap from a company that pays me well just to have the privilege of ignoring me. There are other companies who could put my advice to a lot better use, which are currently going without thanks to my current asshole of a client.

Don't forget about society's opportunity cost.

Re:Don't be a baby!

[ObsessiveMathsFreak]

So he must stop advising a board who makes decisions that he disagrees with? Yeah, that will solve problems.

The problem is that a lot of these boards never listen to the advice of experts, they only want the presence of experts in order to confer legitimacy on their decision. These boards and committees have only the interests of industry at heart, not those of the public. they're not interesting in the facts, or how things should be done. They're interested in giving money and control to private companies.

By participating in such boards, Paul Vixie and people like him are choosing to be part of the problem.

CDNs are good thing

[jcam2]

While I totally agree that overriding NXDOMAIN responses is evil, returning different DNS responses based on the clients location or for load balancing purposes is an extremely useful technique for last companies serving a large amount of web traffic. For example, check out what www.google.com resolves to from different countries or even at different times - depending on where you look it up from and what network links are up, you will get a different set of IPs.

Sure, determining a browser's location from the DNS client source IP is not totally reliable .. but it is accurate enough to significantly improve user-visible responsiveness by avoiding un-necessary cross-planet network traffic. And even if google gets it wrong, they are no worse off than if they never implemented this in the first place.

Re:CDNs are good thing

[Ash-Fox]

I suspect anycast would be a better method, honestly.

Re:CDNs are good thing

[kegon]

Sure, determining a browser's location from the DNS client source IP is not totally reliable .. but it is accurate enough to significantly improve user-visible responsiveness

I disagree.

Getting the wrong web page is not helpful. For example, go to Japan and look up some big name website, e.g. google.com and you get it localized into Japanese. I didn't want google.co.jp, I wanted google.com. How does DNS know what language I speak ?

Many, many times I tried to look up the website of a big American or European company while in Japan and I could only get the the Japanese language version. No matter which page I tried to get brain dead websites trust DNS absolutely and always redirect to a Japanese language page. Japanese friends have these same problems all the time. One friend wanted to buy something from an American company and get it shipped but he simply couldn't check out the specification because they had closed their local operation and all requests originating from Japan were redirected to the local website apologizing for closing their local store.

These examples are not isolated; users in other countries must suffer similar problems. Stop abusing DNS is the answer.

Re:what it is becoming

[greensoap]

I would argue tht IP Masquerading became popular because all of the home consumers that had a single ip address access point to their ISP and multiple devices in the home that needed a connection. High speed home access got affordable and prevalent (outside of major cities) right around '99. At the same time, home access network gateways started having an internet port and four internal network ports with NAT built in to provide the private-public IP translation. IPv4 vs. IPv6 was not as much as an issue as ISP's not wanting to encourage home users to use multiple machines (increasing bandwidth). You might argue that ISP's didn't offer multiple public IPs because of scarcity, but that wasn't true in '99-'00. It was purely to discourage bandwidth usage and justify charging more for more robusts services that provided multiple IPs.

Re:what it is becoming

[phantomfive]

In fact, that was a great use for masquerading, to get around silly limits by ISPs. The objection is that masquerading eventually became a crutch to avoid switching to IPv6, which wasn't a great use for masquerading.

Re:The two examples don't seem anything alike ...

[BitZtream]

Uhm, everyone can connect to the exact same webserver cluster and THEN be redirected with no involvement what so ever from dynamic DNS.

Akamai could use DNS with traditional cache times and still redirect to the right node via http redirects. DNS caching would still work flawlessly and the actual request could be handled over the protocol that actually has knowledge of redirection and ways to say 'this is a permeant redirection' or 'this is only temporary, next time ask me again'

I'm not against using DNS this way, but there are certainly alternatives that would accomplish the same thing just as well.