Paul Vixie On What DNS Is Not

CowboyRobot writes "Paul Vixie (AboveNet, ARIN, ISC, MAPS, PAIX) has a fresh rant titled What DNS Is Not about the abuses of the Domain Name Server system. 'What DNS is not is a mapping service or a mechanism for delivering policy-based information. DNS was designed to express facts, not policies. Because it works so well and is ubiquitous, however, it's all too common for entrepreneurs to see it as a greenfield opportunity ... a few years ago VeriSign, which operates the .COM domain under contract to ICANN, added a "wild card" to the top of the .COM zone (*.COM) so that its authoritative name servers would no longer generate NXDOMAIN responses. Instead they generated responses containing the address of SiteFinder's Web site — an advertising server.'"

not only Verisign

[Tom]

Many ISPs do it as well. Right now, my ISP does it, even though I've opted out. Maybe one of these days I'll sue them.

Maybe it's time that the Internet standards get a few clauses added that express these concepts explicitly. Like what Paul said about DNS. A clause like "a nameserver MUST responde truthfully, if technically possible. DNS responses MUST NOT be modified in any way for political, economic or business reasons."

Then these fucked up ISPs would at least be in violation of a standard, which might give me what I need for a violation-of-contract suit.

Remember: These changes are often invented by marketing and then pushed through even against the explicit protest of the technology people.

Re:not only Verisign

If your ISP does this, then there's a fairly good chance that the software they are using to do it is Nominum's CNS product.

Paul Vixie is on the Advisory Board for Nominum, who also make various other products which conflict with the views that Vixie has stated in this article.

Vixie - you can't have it both ways. If these are your real feeling then I call on you to resign your position on the Advisory Board at Nominum.

Re:not only Verisign

[NoYob]

Remember: These changes are often invented by marketing and then pushed through even against the explicit protest of the technology people.

Every technological marketing gimick that has been invented was the result of some techie wanting to get rich quick (or kiss up to his boss) and I don't blame them. If I found a way to exploit DNS further or any other part of the net and was able to get rich from it, I'd do it in a heartbeat.

And so would most of you, too.

Re:not only Verisign

[ChipMonk]

Running your own server doesn't get around the ISP's DNS, when the ISP is routing all customers' DNS requests to their own servers regardless of destination address. Before you ask, the same technique is already being done with transparent web cache/proxying.

Re:not only Verisign

[ChipMonk]

When your ISP gives you DNS server addresses in your paperwork...

When your ISP gives you name(s) for POP3 service (and maybe NNTP also), rather than addresses, and those names are within the ISP's domain...

Then a working DNS, administered by the ISP, is part of the service. Without it, the ISP is unable to offer the services stated to their customers in their paperwork.

Yes, maybe it's contracted out. But that doesn't change the ISP's responsibility to its customers, or its liability when service fails.

Re:not only Verisign

[hairyfeet]

I actually haven't seen the OpenDNS page but 3 times in 4 years, and in each case I misspelled the address so horribly wrong that the amazing Randi would have went WTF? So I would have to give OpenDNS a thumbs up in that regard. And come to think of it I don't remember seeing the OpenDNS page since running Treewalk, only the basic 404, so maybe having it run as a middle man kills it.

And the "doesn't let you send DNS requests to any other server than theirs" was why I suggested Treewalk to OpenDNS. I haven't tried it on every ISP, but from what I understand OpenDNS pretty much "just works" and Treewalk is so simple even a kid could get it set up. It is pretty much "clicky clicky next next next" and once you have your main websites cached your need to use DNS queries goes WAY down, at least in my experience.

So if you have an old box lying around (I set up one for a customer using Treewalk on a 400Mhz with 128Mb of RAM and it ran like a champ) Treewalk on an old Win2K box pointed at OpenDNS seems to me to be the easiest way to have a nice caching DNS server that "just works". It is free, it is easy, what more could you want out of a caching DNS?

Re:not only Verisign

[pjt33]

Using a local installation of dnsmasq for your DNS server does, however, allow you to work around NXDOMAIN hijacking, assuming that your ISP uses a consistent IP address for its hijack.

Re:not only Verisign

[rcolbert]

I think there's a reasonable expectation that when you attempt to resolve 'foo.com' through the domain name system, that you are returned an address that was in fact registered properly as 'foo.com' using the accepted methods for doing so. I think there's a reasonable expectation when you use the DNS protocol that protocol compliance is expected. Substituting a DNS query response with an IP address that is not registered under the name queried breaks protocol and is fraudulent. The fact that in the use case described the activity is for merely annoying advertising is somewhat beside the point. By participating in DNS your ISP is part of the Internet, and certain standards should be upheld. If your ISP wants to run a private namespace they should either sell it as such or make it obvious that it's not the world wide domain name system we all expect it to be.

Re:not only Verisign

[mibh]

actually i can have it both ways. i was a co-founder and was the first board chairman of nominum, and i still have many friends there. they know exactly how i feel about typosquatting. their product is smarter and tamer than others i can think of, but i still complain to them about it. i'm happy to be able to advise them on other matters.

Re:not only Verisign

[bruce_the_loon]

Bind has Windows binaries for XP/2003/2008

https://www.isc.org/downloadables/11

Re:not only Verisign

[mindstrm]

IT's not a problem per-se - but everyone running a caching DNS server on their PC, because they can't trust the ISP, while seemingly beneficial now, has problems in theory down the road. The point of an ISP having a caching nameserver is so that queries get cached closer to home, and for a larger segment of the network. If *every* end client had their own full caching nameserver, rather than relying on a heirarchy, we'd have a tragedy of the commons, and the load on the authoritative servers would go way, way up.

If network operators stuck to not interfering with DNS, and used it as intended, people wouldn't see the need to work around (and potentially, eventually, invalidate) the model.

what it is becoming

[phantomfive]

Looks like this article is more about, "what DNS is becoming but I don't like." He may not like it, but that's what's happening with DNS.

Not that I particularly like it either, but then I wasn't too happy when the word 'hacker' changed to mean 'someone who breaks into your computer.' Nor was I particularly happy about masquerading becoming a popular routing technique, instead of switching to IPv6. And yet, that's what happened. Sometimes technologies are twisted in ways you don't intend or like.

Re:what it is becoming

[greensoap]

I would argue tht IP Masquerading became popular because all of the home consumers that had a single ip address access point to their ISP and multiple devices in the home that needed a connection. High speed home access got affordable and prevalent (outside of major cities) right around '99. At the same time, home access network gateways started having an internet port and four internal network ports with NAT built in to provide the private-public IP translation. IPv4 vs. IPv6 was not as much as an issue as ISP's not wanting to encourage home users to use multiple machines (increasing bandwidth). You might argue that ISP's didn't offer multiple public IPs because of scarcity, but that wasn't true in '99-'00. It was purely to discourage bandwidth usage and justify charging more for more robusts services that provided multiple IPs.

Re:what it is becoming

[phantomfive]

In fact, that was a great use for masquerading, to get around silly limits by ISPs. The objection is that masquerading eventually became a crutch to avoid switching to IPv6, which wasn't a great use for masquerading.

Re:what it is becoming

[TheRaven64]

I think you're missing his point. It's easy to do, because he does hide it quite well behind a large wall of text. DNS, as Vixie (awesome name) rightly says, should be a cacheable mapping. The result should depend on the query and nothing else. It should not depend on who your ISP is. It should not depend on your geographical location. If you do a DNS lookup from your computer, you should get exactly the same result that I get from my computer at the same time, irrespective of where we both are in the network topology. This is a fundamental aspect of DNS and lots of software has been written on top of the assumption that this is how DNS works. Changing this is going to break things in fun and exciting ways.

A real-time block list is a perfectly acceptable use of DNS. It maps from a domain name to some information, in this case whether the IP is a known spammer. Putting geolocation information and telephone numbers into DNS are also valid uses. They express facts that don't change depending on who is asking for them. The page is a bit confusing because he uses 'policy' to mean 'information that depends on who is asking'. A better word would be 'propaganda'.

By the way, he also makes the point that domain names should be written the other way around if you want autocompletion (e.g. org.slashdot.tech). It's worth noting that the Joint Academic Network (JANET) in the UK did write them this way around, which meant things like tab-completion of hostnames could work nicely. It was forced to change because the rest of the world was writing them the wrong way around.

Don't be a baby!

[iYk6]

So he must stop advising a board who makes decisions that he disagrees with? Yeah, that will solve problems. Everyone should only advise people who were going to make the decisions that the adviser was going to advise anyway. That way, all advisers are useless. And then ... what exactly is your end goal in making advisers useless?

Some people do resign from boards when the board repeatedly makes decisions that the adviser does not approve of. The rejection just gets to be too much for them, and so they quit. It is understandable, but the board suffers when the range of opinions decreases.

Basically, AC, people you work with will make decisions you disagree with. It is important that you put of with it, and not be a big baby.

Re:Don't be a baby!

[shentino]

There is something to be said for not wasting your advice on a company that refuses to take it, especially when someone else can put your time to better use.

If the company is going to sink with or without your help, you may as well jump ship and rescue someone else instead of going down with them.

If I'm a consultant, I'm aware that my knowledge, and consequently, time, is a valuable resource. I'm not going to take a lot of crap from a company that pays me well just to have the privilege of ignoring me. There are other companies who could put my advice to a lot better use, which are currently going without thanks to my current asshole of a client.

Don't forget about society's opportunity cost.

Re:Don't be a baby!

[ObsessiveMathsFreak]

So he must stop advising a board who makes decisions that he disagrees with? Yeah, that will solve problems.

The problem is that a lot of these boards never listen to the advice of experts, they only want the presence of experts in order to confer legitimacy on their decision. These boards and committees have only the interests of industry at heart, not those of the public. they're not interesting in the facts, or how things should be done. They're interested in giving money and control to private companies.

By participating in such boards, Paul Vixie and people like him are choosing to be part of the problem.

Breaking the standards to implement policy

[kimvette]

Breaking the standards to implement policy is a good thing sometimes. Take SPF records for example: if they were to become widespread, then spam could very easily be reduced by probably 99%.

Re:Breaking the standards to implement policy

[DaveGillam]

SPF, SenderID, and DKIM are not spam-fighting techniques. They are forgery-fighting techniques. Some spammers use SPF and SenderID records to give their spam a higher sense of legitimacy. A spammer cannot forge "paypal.com" because Paypal publishes SPF records. A spammer CAN pretend to be Paypal by using a look-alike domain with its own set of SPF records (ie: paypall.com, paypal.org). SPF and SenderID simply publish what IPs are authorized to send email claiming to be from a particular domain. DKIM does essentially the same thing, but is arguably better since it uses a cryptographic mechanism to assure the message in question was not appreciably altered in transit.

CDNs are good thing

[jcam2]

While I totally agree that overriding NXDOMAIN responses is evil, returning different DNS responses based on the clients location or for load balancing purposes is an extremely useful technique for last companies serving a large amount of web traffic. For example, check out what www.google.com resolves to from different countries or even at different times - depending on where you look it up from and what network links are up, you will get a different set of IPs.

Sure, determining a browser's location from the DNS client source IP is not totally reliable .. but it is accurate enough to significantly improve user-visible responsiveness by avoiding un-necessary cross-planet network traffic. And even if google gets it wrong, they are no worse off than if they never implemented this in the first place.

Re:CDNs are good thing

[Ash-Fox]

I suspect anycast would be a better method, honestly.

Re:CDNs are good thing

[QuantumRiff]

He argues that the problem is, the client doesn't usually hit the DNS server, the clients DNS server only does after it expires its own local cache.

Just because your ISP's DNS servers are sitting in LA, doesn't mean you are. You could be on Seattle, and using those DNS servers, or out in the world, on the work VPN, using their DNS server in downtown Chicago. Thats how many people get around regional restrictions now, in fact.

People have shoehorned DNS into something that it is neither Efficient, or designed to do.

Re:CDNs are good thing

[rekoil]

I suspect anycast would be a better method, honestly.

And you'd be completely, utterly wrong. I've seen anycast resulting some mind-numblingly stupid site selection choices, usually due to a local ISP's BGP policy - and when I say "stupid" I mean "all users of ISP X in New York City getting sent to a mirror in Sydney, Australia instead of the site downtown".

This might be OK for simple DNS queries, but for actual web sites it is a True Path To Pain.

Re:CDNs are good thing

[John+Hasler]

> For example, check out what www.google.com resolves to from different
> countries or even at different times - depending on where you look it up from
> and what network links are up, you will get a different set of IPs.

According to Google I spent the last two weeks of October jumping around between Japan, France, Spain, and Britain.

I never left Wisconsin. And no, I was not using Tor or a VPN or any such thing.

Re:CDNs are good thing

[kegon]

Sure, determining a browser's location from the DNS client source IP is not totally reliable .. but it is accurate enough to significantly improve user-visible responsiveness

I disagree.

Getting the wrong web page is not helpful. For example, go to Japan and look up some big name website, e.g. google.com and you get it localized into Japanese. I didn't want google.co.jp, I wanted google.com. How does DNS know what language I speak ?

Many, many times I tried to look up the website of a big American or European company while in Japan and I could only get the the Japanese language version. No matter which page I tried to get brain dead websites trust DNS absolutely and always redirect to a Japanese language page. Japanese friends have these same problems all the time. One friend wanted to buy something from an American company and get it shipped but he simply couldn't check out the specification because they had closed their local operation and all requests originating from Japan were redirected to the local website apologizing for closing their local store.

These examples are not isolated; users in other countries must suffer similar problems. Stop abusing DNS is the answer.

The two examples don't seem anything alike ...

[Wrath0fb0b]

Ok, we all agree that funneling NXDOMAIN responses to your advertising portal is wrong. It's evil, manipulative, blah blah, not going to defend it.

What really bothers me is his rationale for the first example -- using DNS responses to properly route content to the right node in your CDN. Sure, it increases the "floor" request time by eliminating cached response closer to the user, but it also greatly decreases the average request time by serving the content from the nearest node. It seems to me like it's a huge net win for the total amount of network traffic -- you lose by having a whole lot of extra (tiny) DNS requests and cache-misses but you win huge by having Microsoft's latest service pack (many MB) traverse the smallest possible number of hops.

His second complaint, that this is somehow lawsuit-fodder, is ridiculous on its face. Akamai works incredibly well for content providers that don't want to invest in lots of redundant distribution resources. They have every incentive to outsource it to a company that will provide the users with a much faster experience and virtually nothing to lose. Most users will give up on a website if it can't serve their requests in a reasonable amount of time and I don't see a revolution in user patience about to happen.

Finally, his "solution" -- that CDNs rely on dumb ("psuedorandom" is his fancy was of saying dumb) assignment of users to distribution nodes -- is a huge step backwards. It would mean more stress on the long-haul fiber for absolutely no good reason as requests were served geographically distance from their origin. By the way, it's interesting that he labels his dumb response "truthful", as if Akamai lied when they assign me to a different node than my Australian buddy because we live half a globe apart? That's ridiculous. We each asked for a server that can give us www.amd.com, we got a damn truthful answer. In fact, we each got the best possible answer we could. That's not lying, it's giving each of us a finer-grained optimal answer than we would have received under his lame suggestion.

Please don't confuse his (for the forgoing reasons, silly) rant against CDNs with his rightful indignation at NXDOMAIN redirects. They are totally different animals.

Re:The two examples don't seem anything alike ...

[BitZtream]

Uhm, everyone can connect to the exact same webserver cluster and THEN be redirected with no involvement what so ever from dynamic DNS.

Akamai could use DNS with traditional cache times and still redirect to the right node via http redirects. DNS caching would still work flawlessly and the actual request could be handled over the protocol that actually has knowledge of redirection and ways to say 'this is a permeant redirection' or 'this is only temporary, next time ask me again'

I'm not against using DNS this way, but there are certainly alternatives that would accomplish the same thing just as well.

News to me

Browser implementers including Microsoft and Mozilla have begun doing DNS queries while collecting URIs from their graphical front end in order to do fancy "auto-completion." This means that during the typing time of a URI such as http://www.cnn.com/, the browser will have asked questions such as W, WW, WWW, WWW.C, WWW.CN, WWW.CNN, and so on. It's not quite that bad, since the browsers have a precompiled idea of what the top-level domains are. They won't actually ask for WWW.C, for example, but they are now asking for WWW.CN, which is in China, and WWW.CNN.CO, which is in Colombia.

Which browsers actually do this? Is Mozilla actually participating in that nonsense?

facts

[epine]

Interesting echo from FAQ which I read the other night. The original contains a lot of italic I'm not going to replicate.

An important fact about monotone's networking is that it deals in facts rather than operations. Networking simply informs the other party of some facts, and receives some facts from the other party. The netsync protocol determines which facts to send, based on an interactive analysis of "what is missing" on each end. No obligations, transactions, or commitments are made during networking. For all non-networking functions, monotone decides what to do by interpreting the facts it has on hand, rather than having specific conversations with other programs.

The closer one lives to the foundation, the stronger the argument for a fact-based architecture. DNS is about as foundational as one can get in internet security. Interesting, the architecture of monotone is highly cryptographic, and somewhat reminiscent of DNSSEC from the 40,000 foot view.

The people who don't see the problem with mixing fact and policy are likely the same people who don't regard it as a big problem that your credit card numbers is widely distributed in plain text: to every vendor you do business with, many of their employees, the trash collectors out back, and their governing union.

Why is it that some guy on the GPS thread complained that the police are free to criminalize driving under the age of 18 (to collect more revenue) and effectively act as their own judge, jury, and executioner (in the corrupt towns where this practice becomes established), but there is generally less complaint about VISA architecting themselves the same powers?

If the police collected a 2% slice of gasoline revenues and awarded bonus points for trips to Hawaii in any year where you keep your license clear and generally found other clever ways to rebate unpenalized drivers the 2% (with enough hidden strings attached it doesn't ultimately cost them much), would they be as loved as the VISA company? Just asking.

Dan Ariely asks, Are we in control of our own decisions?

Turns out it depends on how you frame the question. If the question is: do you want the DNS system to become so badly abused it might as well have been designed by a bank, you might get one answer. If the question is: do you want DNS optimized so your porn streams with ten seconds less delay between clips, you probably get the other answer.

I vote for facts. That said, I will say one thing in defense of Akamai: one can construe CDN as a fact based system, if the factoids you are dealing in that "this IP address can deliver the content you want". Ideally, you already have a secure hash signature of the file you're seeking so it can't play too many games with the notion of "the file you want".

I don't see why DNS needs the facts to be so low level as "this is the same IP address everyone else gets for the same query". There could be a good reason, but Vixie's excellent article fell short of providing it.

Ideally, the CDN problem would have been solved with another layer of delegation: the content you are seeking can be obtained from a vast array of different places, here's an authoritative address for a highly overloaded server; if you're in a hurry go talk to xxx.xxx.xxx.xxx to find a location near you. Then the caching proxy can send a request with the header "I represent a client in the Pacific Northwest" rather than sending back to the client the name of the video store where client's attorney rents his own porn.

IP over DNS

[nemesisrocks]

Is everyone here forgetting IP over DNS? How else would I get free internet at paid wifi access points??

Listen to this man!

[TrisexualPuppy]

He is a credible source. For a little background, he wrote one of the most popular cron daemons.

(Wiki) With the advent of the GNU Project and Linux, new crons appeared. The most prevalent of these is the Vixie cron, originally coded by Paul Vixie in 1987. Version 3 of Vixie cron was released in late 1993. Version 4.1 was renamed to ISC Cron and was released in January 2004. Version 3, with some minor bugfixes, is used in most distributions of Linux and BSDs.

I met Vixie some number of years ago in Vegas and he blew my mind away with his insight. He's spot on once again in this article.

Re:Mod parent UP

[Hal_Porter]

Mod parent down, Anonymous Coward is a know troll.

He is absolutly right !

[FrankDerKte]

It all comes down to thrust. If my ISP changes the answers of the root server for non existing adresses how do I know they don't do it for other adresses, too ? And if they use something like deep packet inspection to select my DNS requests and redirect them to their server, it's actually a man in the middle attack. Also known as DSN spoofing and used by many criminals to collect all sorts of information.

Seriously, we have to stop taking crap from those return of investment and cash flow management idiots, who think they can change the way everything works, because they own the infrastructure.

As slashdotters seem to like car analogies, would anyone of you use a navigation system which would give you any directions for not existing streets ? I would throw it out of my car.

Probably I should write a script which just asks for a bogus URL every ms. Also it would follow every link on this site. Let's see for how long this practice is being used if every DNS request is answered by a web site and all their advertisement contractors have to pay for "clicks" by a stoopid script ?