Slashdot Mirror

← Back to Stories (view on slashdot.org)

Paul Vixie On What DNS Is Not

Posted by timothy on from the this-could-be-a-long-book dept.

CowboyRobot writes "Paul Vixie (AboveNet, ARIN, ISC, MAPS, PAIX) has a fresh rant titled What DNS Is Not about the abuses of the Domain Name Server system. 'What DNS is not is a mapping service or a mechanism for delivering policy-based information. DNS was designed to express facts, not policies. Because it works so well and is ubiquitous, however, it's all too common for entrepreneurs to see it as a greenfield opportunity ... a few years ago VeriSign, which operates the .COM domain under contract to ICANN, added a "wild card" to the top of the .COM zone (*.COM) so that its authoritative name servers would no longer generate NXDOMAIN responses. Instead they generated responses containing the address of SiteFinder's Web site — an advertising server.'"

11 of 164 comments (clear)

  1. not only Verisign by Tom · · Score: 5, Insightful

    Many ISPs do it as well. Right now, my ISP does it, even though I've opted out. Maybe one of these days I'll sue them.

    Maybe it's time that the Internet standards get a few clauses added that express these concepts explicitly. Like what Paul said about DNS. A clause like "a nameserver MUST responde truthfully, if technically possible. DNS responses MUST NOT be modified in any way for political, economic or business reasons."

    Then these fucked up ISPs would at least be in violation of a standard, which might give me what I need for a violation-of-contract suit.

    Remember: These changes are often invented by marketing and then pushed through even against the explicit protest of the technology people.

    --
    Assorted stuff I do sometimes: Lemuria.org
    1. Re:not only Verisign by Anonymous Coward · · Score: 4, Interesting

      If your ISP does this, then there's a fairly good chance that the software they are using to do it is Nominum's CNS product.

      Paul Vixie is on the Advisory Board for Nominum, who also make various other products which conflict with the views that Vixie has stated in this article.

      Vixie - you can't have it both ways. If these are your real feeling then I call on you to resign your position on the Advisory Board at Nominum.

    2. Re:not only Verisign by NoYob · · Score: 5, Interesting
      Remember: These changes are often invented by marketing and then pushed through even against the explicit protest of the technology people.

      Every technological marketing gimick that has been invented was the result of some techie wanting to get rich quick (or kiss up to his boss) and I don't blame them. If I found a way to exploit DNS further or any other part of the net and was able to get rich from it, I'd do it in a heartbeat.

      And so would most of you, too.

      --
      It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
    3. Re:not only Verisign by ChipMonk · · Score: 3, Informative

      Running your own server doesn't get around the ISP's DNS, when the ISP is routing all customers' DNS requests to their own servers regardless of destination address. Before you ask, the same technique is already being done with transparent web cache/proxying.

  2. what it is becoming by phantomfive · · Score: 3, Interesting

    Looks like this article is more about, "what DNS is becoming but I don't like." He may not like it, but that's what's happening with DNS.

    Not that I particularly like it either, but then I wasn't too happy when the word 'hacker' changed to mean 'someone who breaks into your computer.' Nor was I particularly happy about masquerading becoming a popular routing technique, instead of switching to IPv6. And yet, that's what happened. Sometimes technologies are twisted in ways you don't intend or like.

    --
    Qxe4
  3. Don't be a baby! by iYk6 · · Score: 5, Insightful

    So he must stop advising a board who makes decisions that he disagrees with? Yeah, that will solve problems. Everyone should only advise people who were going to make the decisions that the adviser was going to advise anyway. That way, all advisers are useless. And then ... what exactly is your end goal in making advisers useless?

    Some people do resign from boards when the board repeatedly makes decisions that the adviser does not approve of. The rejection just gets to be too much for them, and so they quit. It is understandable, but the board suffers when the range of opinions decreases.

    Basically, AC, people you work with will make decisions you disagree with. It is important that you put of with it, and not be a big baby.

  4. Breaking the standards to implement policy by kimvette · · Score: 3, Interesting

    Breaking the standards to implement policy is a good thing sometimes. Take SPF records for example: if they were to become widespread, then spam could very easily be reduced by probably 99%.

    --
    The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
    1. Re:Breaking the standards to implement policy by DaveGillam · · Score: 3, Informative

      SPF, SenderID, and DKIM are not spam-fighting techniques. They are forgery-fighting techniques. Some spammers use SPF and SenderID records to give their spam a higher sense of legitimacy. A spammer cannot forge "paypal.com" because Paypal publishes SPF records. A spammer CAN pretend to be Paypal by using a look-alike domain with its own set of SPF records (ie: paypall.com, paypal.org). SPF and SenderID simply publish what IPs are authorized to send email claiming to be from a particular domain. DKIM does essentially the same thing, but is arguably better since it uses a cryptographic mechanism to assure the message in question was not appreciably altered in transit.

  5. CDNs are good thing by jcam2 · · Score: 3, Insightful

    While I totally agree that overriding NXDOMAIN responses is evil, returning different DNS responses based on the clients location or for load balancing purposes is an extremely useful technique for last companies serving a large amount of web traffic. For example, check out what www.google.com resolves to from different countries or even at different times - depending on where you look it up from and what network links are up, you will get a different set of IPs.

    Sure, determining a browser's location from the DNS client source IP is not totally reliable .. but it is accurate enough to significantly improve user-visible responsiveness by avoiding un-necessary cross-planet network traffic. And even if google gets it wrong, they are no worse off than if they never implemented this in the first place.

  6. The two examples don't seem anything alike ... by Wrath0fb0b · · Score: 4, Interesting

    Ok, we all agree that funneling NXDOMAIN responses to your advertising portal is wrong. It's evil, manipulative, blah blah, not going to defend it.

    What really bothers me is his rationale for the first example -- using DNS responses to properly route content to the right node in your CDN. Sure, it increases the "floor" request time by eliminating cached response closer to the user, but it also greatly decreases the average request time by serving the content from the nearest node. It seems to me like it's a huge net win for the total amount of network traffic -- you lose by having a whole lot of extra (tiny) DNS requests and cache-misses but you win huge by having Microsoft's latest service pack (many MB) traverse the smallest possible number of hops.

    His second complaint, that this is somehow lawsuit-fodder, is ridiculous on its face. Akamai works incredibly well for content providers that don't want to invest in lots of redundant distribution resources. They have every incentive to outsource it to a company that will provide the users with a much faster experience and virtually nothing to lose. Most users will give up on a website if it can't serve their requests in a reasonable amount of time and I don't see a revolution in user patience about to happen.

    Finally, his "solution" -- that CDNs rely on dumb ("psuedorandom" is his fancy was of saying dumb) assignment of users to distribution nodes -- is a huge step backwards. It would mean more stress on the long-haul fiber for absolutely no good reason as requests were served geographically distance from their origin. By the way, it's interesting that he labels his dumb response "truthful", as if Akamai lied when they assign me to a different node than my Australian buddy because we live half a globe apart? That's ridiculous. We each asked for a server that can give us www.amd.com, we got a damn truthful answer. In fact, we each got the best possible answer we could. That's not lying, it's giving each of us a finer-grained optimal answer than we would have received under his lame suggestion.

    Please don't confuse his (for the forgoing reasons, silly) rant against CDNs with his rightful indignation at NXDOMAIN redirects. They are totally different animals.

    1. Re:The two examples don't seem anything alike ... by BitZtream · · Score: 4, Insightful

      Uhm, everyone can connect to the exact same webserver cluster and THEN be redirected with no involvement what so ever from dynamic DNS.

      Akamai could use DNS with traditional cache times and still redirect to the right node via http redirects. DNS caching would still work flawlessly and the actual request could be handled over the protocol that actually has knowledge of redirection and ways to say 'this is a permeant redirection' or 'this is only temporary, next time ask me again'

      I'm not against using DNS this way, but there are certainly alternatives that would accomplish the same thing just as well.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager