×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Paul Vixie On What DNS Is Not

timothy posted more than 4 years ago | from the this-could-be-a-long-book dept.

The Internet 164

CowboyRobot writes "Paul Vixie (AboveNet, ARIN, ISC, MAPS, PAIX) has a fresh rant titled What DNS Is Not about the abuses of the Domain Name Server system. 'What DNS is not is a mapping service or a mechanism for delivering policy-based information. DNS was designed to express facts, not policies. Because it works so well and is ubiquitous, however, it's all too common for entrepreneurs to see it as a greenfield opportunity ... a few years ago VeriSign, which operates the .COM domain under contract to ICANN, added a "wild card" to the top of the .COM zone (*.COM) so that its authoritative name servers would no longer generate NXDOMAIN responses. Instead they generated responses containing the address of SiteFinder's Web site — an advertising server.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

164 comments

frist (-1, Troll)

HomelessInLaJolla (1026842) | more than 4 years ago | (#30016228)

psot

Listen to this man! (4, Informative)

TrisexualPuppy (976893) | more than 4 years ago | (#30018264)

He is a credible source. For a little background, he wrote one of the most popular cron daemons.

(Wiki) With the advent of the GNU Project and Linux, new crons appeared. The most prevalent of these is the Vixie cron, originally coded by Paul Vixie in 1987. Version 3 of Vixie cron was released in late 1993. Version 4.1 was renamed to ISC Cron and was released in January 2004. Version 3, with some minor bugfixes, is used in most distributions of Linux and BSDs.

I met Vixie some number of years ago in Vegas and he blew my mind away with his insight. He's spot on once again in this article.

Mod parent UP (0)

Anonymous Coward | more than 4 years ago | (#30018272)

Wonderful post

Re:Mod parent UP (0)

Anonymous Coward | more than 4 years ago | (#30018694)

Mod down. GP is a known troll.

them dollar (0, Insightful)

Anonymous Coward | more than 4 years ago | (#30016248)

Well Paul, in this world it all depends on how much money you throw at it.

Sorry we didn't stay in your box (-1, Troll)

TommydCat (791543) | more than 4 years ago | (#30016270)

Isn't it funny how some parents can't seem to let go after the child has grown, especially when they greatly exceed expectation?

Re:Sorry we didn't stay in your box (0)

BitZtream (692029) | more than 4 years ago | (#30016288)

You still expect your child to not murder, cheat and steal, and you still expect them to be punished if they do. Regardless of how much they've grown.

Re:Sorry we didn't stay in your box (0)

Anonymous Coward | more than 4 years ago | (#30016732)

But /. philosophy states if the child murders, cheats, or steals it's due to bad parenting. So who should be punished? The child? The parents? Maybe the grand parents for failing to properly raise the parents?

Re:Sorry we didn't stay in your box (0, Offtopic)

BitZtream (692029) | more than 4 years ago | (#30016862)

Insufficient data.

You certainly punish the child, regardless of why the did it. If daddy puts a gun to your head and says kill this man or I kill you, you still committed a crime and have to be treated as such. The punishment does however take the parents into account in some limited cases, such as the parents still being the legal guardians of the child. When the child is no longer a child, but a consenting adult, then it really doesn't matter what the parents did. Adults are responsible for their own actions. PERIOD. Its not just about punishment, its about protecting the rest of the world as well.

If the child never had any direct interaction with the grandparents then they are clearly off limits.

If the parents were not involved after birth, and the grandparents were, they effectively become the parents and assume all responsibilities for that roll, they could have put the child up for adoption had they wanted to avoid those responsibilities.

You simply didn't not provide enough information.

Where does one find this so-called philosophy ? (1)

Archfeld (6757) | more than 4 years ago | (#30018188)

Besides in the dream world where you apparently live a great deal of your life ? I can see why you post as an AC.

Please... Stop... (1)

RulerOf (975607) | more than 4 years ago | (#30018570)

That metaphor you have there is almost as inappropriately overextended and overreaching as modern DNS technologies.

Re:Sorry we didn't stay in your box (1)

MightyMartian (840721) | more than 4 years ago | (#30017264)

But he has a point. DNS is very good at what it does, but when companies start mucking about with it, it's reliability becomes much more questionable. In the .com fiasco we had the DNS clearly abused with severe repercussions for general wide-scale network stability.

not only Verisign (5, Insightful)

Tom (822) | more than 4 years ago | (#30016274)

Many ISPs do it as well. Right now, my ISP does it, even though I've opted out. Maybe one of these days I'll sue them.

Maybe it's time that the Internet standards get a few clauses added that express these concepts explicitly. Like what Paul said about DNS. A clause like "a nameserver MUST responde truthfully, if technically possible. DNS responses MUST NOT be modified in any way for political, economic or business reasons."

Then these fucked up ISPs would at least be in violation of a standard, which might give me what I need for a violation-of-contract suit.

Remember: These changes are often invented by marketing and then pushed through even against the explicit protest of the technology people.

Re:not only Verisign (4, Interesting)

Anonymous Coward | more than 4 years ago | (#30016310)

If your ISP does this, then there's a fairly good chance that the software they are using to do it is Nominum's CNS product.

Paul Vixie is on the Advisory Board for Nominum, who also make various other products which conflict with the views that Vixie has stated in this article.

Vixie - you can't have it both ways. If these are your real feeling then I call on you to resign your position on the Advisory Board at Nominum.

Don't be a baby! (5, Insightful)

iYk6 (1425255) | more than 4 years ago | (#30016442)

So he must stop advising a board who makes decisions that he disagrees with? Yeah, that will solve problems. Everyone should only advise people who were going to make the decisions that the adviser was going to advise anyway. That way, all advisers are useless. And then ... what exactly is your end goal in making advisers useless?

Some people do resign from boards when the board repeatedly makes decisions that the adviser does not approve of. The rejection just gets to be too much for them, and so they quit. It is understandable, but the board suffers when the range of opinions decreases.

Basically, AC, people you work with will make decisions you disagree with. It is important that you put of with it, and not be a big baby.

Re:Don't be a baby! (2, Insightful)

shentino (1139071) | more than 4 years ago | (#30017388)

There is something to be said for not wasting your advice on a company that refuses to take it, especially when someone else can put your time to better use.

If the company is going to sink with or without your help, you may as well jump ship and rescue someone else instead of going down with them.

If I'm a consultant, I'm aware that my knowledge, and consequently, time, is a valuable resource. I'm not going to take a lot of crap from a company that pays me well just to have the privilege of ignoring me. There are other companies who could put my advice to a lot better use, which are currently going without thanks to my current asshole of a client.

Don't forget about society's opportunity cost.

Re:Don't be a baby! (2, Insightful)

ObsessiveMathsFreak (773371) | more than 4 years ago | (#30017844)

So he must stop advising a board who makes decisions that he disagrees with? Yeah, that will solve problems.

The problem is that a lot of these boards never listen to the advice of experts, they only want the presence of experts in order to confer legitimacy on their decision. These boards and committees have only the interests of industry at heart, not those of the public. they're not interesting in the facts, or how things should be done. They're interested in giving money and control to private companies.

By participating in such boards, Paul Vixie and people like him are choosing to be part of the problem.

Re:not only Verisign (1)

epine (68316) | more than 4 years ago | (#30016916)

Vixie - you can't have it both ways. If these are your real feeling then I call on you to resign your position on the Advisory Board at Nominum.

Is that you, Obelix the gallstone? Fell into a vat of anonymous coward super juice as a young infant? I thought so.

He's only having it both ways if he privately supports Nominum's stupidity, while publicly declaiming his involvement.

This post is an excellent example of polarization disorder: the belief that the world will run most smoothly if everyone is neatly aligned in violent opposition.

What's the payoff for Obelix the gallstone in shifting the landscape in this direction, supposing anyone falls for his feeble derision? Personally, I've never experienced the orgasmic pleasure of seeing how far I could polarize everyone else around me. I guess the game here is to incite all the villagers to gather in the town square with pitchforks levelled, while you slip into the church to steal the artifacts.

Re:not only Verisign (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30017170)

"pitchforks"..."artifacts"...and a goddam Gaul pun. All apropos of nothing.

Can we just get rid of the sub-5-digit UIDs? It's like letting seniors drive. Dangerous.

Re:not only Verisign (0)

Anonymous Coward | more than 4 years ago | (#30018940)

LOL - he is also someone who is more than willing to subvert "the truth" for for political, economic or business reasons.

Look at the history of MAPS and AboveNet both willing to blackhole/blacklist IPs for political ad business reasons. I guess he doesn't mind if BGP adverts don't "responde[sic] truthfully" if it serves his purposes.

Also, the money he paid Nominum to write BIND9 is what created Nominum as a going concern, so he is more than just a board member.

So, as we see with 99.999% of so-called leaders in the US, their money and their bullshit go in two different directions.

It boogles the mind how people are unable to see through the thin veneer of the "nonprofit" entity at the front and see through to the numerous money making and sector control functions that Vixies various entities perform.

Re:not only Verisign (2, Interesting)

mibh (920980) | more than 4 years ago | (#30018986)

actually i can have it both ways. i was a co-founder and was the first board chairman of nominum, and i still have many friends there. they know exactly how i feel about typosquatting. their product is smarter and tamer than others i can think of, but i still complain to them about it. i'm happy to be able to advise them on other matters.

Re:not only Verisign (1)

prochefort (471407) | more than 4 years ago | (#30016316)

Here in Toronto, Rogers does this on a routine basis. Tried to get them to stop this sh*t but the person onthe phone was either too thick to understand or simply didn't care enough. Sucks really bad. Rogers used to be this great company but they are sinking to new lows every day.

Re:not only Verisign (1)

Zerth (26112) | more than 4 years ago | (#30016328)

And that's why a cheap, low-power computer or hackable router is awesome. Just run your own nameserver.

My ISP isn't horrible, but they hijack DNS with a "friendly" error message when there is more than a little network congestion, which sticks until the cache is flushed. That was enough to get me to stop using their server.

Re:not only Verisign (3, Informative)

ChipMonk (711367) | more than 4 years ago | (#30016380)

Running your own server doesn't get around the ISP's DNS, when the ISP is routing all customers' DNS requests to their own servers regardless of destination address. Before you ask, the same technique is already being done with transparent web cache/proxying.

Re:not only Verisign (1)

mikael_j (106439) | more than 4 years ago | (#30016454)

Well, I suppose a workaround to that would be to set up an encrypted tunnel to some machine outside their network and running your own DNS server there, depending on your work IT policies you could even use your employer's VPN to run "private" DNS requests while still using your own internet connection for actually accessing the net.

That said I sure wish ISPs wouldn't do dumb shit like this, it pretty much breaks DNS.

/Mikael

Re:not only Verisign (1)

Zerth (26112) | more than 4 years ago | (#30016516)

If I'm OCD enough to set up my own DNSd, why do you assume I'd not think about that?

True, most people don't have hardware on another network, but virtual servers are silly cheap if you are only using it for DNS and SSH redirection.

DNSSEC? (0)

Anonymous Coward | more than 4 years ago | (#30016698)

Running your own server doesn't get around the ISP's DNS, when the ISP is routing all customers' DNS requests to their own servers regardless of destination address. Before you ask, the same technique is already being done with transparent web cache/proxying.

Would DNSSEC help with this re-routing?

Re:not only Verisign (1)

hairyfeet (841228) | more than 4 years ago | (#30016702)

Correct me if I'm wrong, as I'm no DNS expert here, but wouldn't running a caching DNS server pointed at OpenDNS [opendns.com] work? Like say Treewalk DNS [treewalkdns.com] pointed to OpenDNS?

Correct me if I'm wrong, but I don't see how they could pull that douchebag behavior if you have a caching server that is only using OpenDNS for queries. And Treewalk is very low resource and runs on seriously old hardware (currently using 6Mb on this 1.1GHz Celeron) and is pretty damned simple to set up and use, so unless I'm missing something it looks like an easy way to avoid the DNS Douches.

Re:not only Verisign (1)

sopssa (1498795) | more than 4 years ago | (#30016888)

You dont even need to point it to OpenDNS (which FYI does *exactly* the same kind of advertisement serving on non-existing domains). Just run your own recursive DNS server and you're good to go.

(unless of course your ISP doesn't let you send DNS requests to any other server than theirs, which some people seem to have here)

Re:not only Verisign (2, Interesting)

hairyfeet (841228) | more than 4 years ago | (#30017046)

I actually haven't seen the OpenDNS page but 3 times in 4 years, and in each case I misspelled the address so horribly wrong that the amazing Randi would have went WTF? So I would have to give OpenDNS a thumbs up in that regard. And come to think of it I don't remember seeing the OpenDNS page since running Treewalk, only the basic 404, so maybe having it run as a middle man kills it.

And the "doesn't let you send DNS requests to any other server than theirs" was why I suggested Treewalk to OpenDNS. I haven't tried it on every ISP, but from what I understand OpenDNS pretty much "just works" and Treewalk is so simple even a kid could get it set up. It is pretty much "clicky clicky next next next" and once you have your main websites cached your need to use DNS queries goes WAY down, at least in my experience.

So if you have an old box lying around (I set up one for a customer using Treewalk on a 400Mhz with 128Mb of RAM and it ran like a champ) Treewalk on an old Win2K box pointed at OpenDNS seems to me to be the easiest way to have a nice caching DNS server that "just works". It is free, it is easy, what more could you want out of a caching DNS?

Re:not only Verisign (1)

mysidia (191772) | more than 4 years ago | (#30017430)

OpenDNS does by default, but you can turn it off.

There aren't many good recursive DNS servers that will run on Windows XP.. unless you're a power user and have a 2003 or 2008 server on your LAN that can run MS DNS Service...

Re:not only Verisign (2, Interesting)

pjt33 (739471) | more than 4 years ago | (#30017706)

Using a local installation of dnsmasq for your DNS server does, however, allow you to work around NXDOMAIN hijacking, assuming that your ISP uses a consistent IP address for its hijack.

Re:not only Verisign (1)

BOFslime (178524) | more than 4 years ago | (#30018684)

Running your own server doesn't get around the ISP's DNS, when the ISP is routing all customers' DNS requests to their own servers regardless of destination address. Before you ask, the same technique is already being done with transparent web cache/proxying.

False, my ISP runs NXDOMAIN redirection (roadrunner), as does the company I work for (different from what I use at home). DNS is not intercepted at the protocol/port level (udp 53), only if you utilize the providers DNS servers do you become subject to nxdomain redirection.

I run my own DNS server, and this is not intercepted by my ISP. All recursion done by my server for unknown and un-cached domains its discovered from the root servers down, and the root servers IP are known from the root.hints zone loaded in my bind config. Therefor when I query for fwvogahds.com I will receive a proper nxdomain in response.

The issue at had here though is root level servers not providing proper nxdomain responses, and thus the problem. All executives see is $ sign's in this though, and not the harm that its doing.

Re:not only Verisign (5, Interesting)

NoYob (1630681) | more than 4 years ago | (#30016350)

Remember: These changes are often invented by marketing and then pushed through even against the explicit protest of the technology people.

Every technological marketing gimick that has been invented was the result of some techie wanting to get rich quick (or kiss up to his boss) and I don't blame them. If I found a way to exploit DNS further or any other part of the net and was able to get rich from it, I'd do it in a heartbeat.

And so would most of you, too.

Re:not only Verisign (1)

Anonymous Coward | more than 4 years ago | (#30016398)

I'll have to disagree, some of us do have ethics even if they are outside the norm (might does not make right, copyright is a privilege not a right, etc). I was under the impression that harming other people for your own gain is generally considered to be inherently wrong.

Re:not only Verisign (0)

Anonymous Coward | more than 4 years ago | (#30016724)

Right! I would NEVER EVER do something like this... unless I saw $100,000 up-front.

Re:not only Verisign (1)

sopssa (1498795) | more than 4 years ago | (#30016354)

Maybe it's time that the Internet standards get a few clauses added that express these concepts explicitly. Like what Paul said about DNS. A clause like "a nameserver MUST responde truthfully, if technically possible. DNS responses MUST NOT be modified in any way for political, economic or business reasons."

Then these fucked up ISPs would at least be in violation of a standard, which might give me what I need for a violation-of-contract suit.

I doubt it still would go anywhere in court. It's not like it's illegal to break RFC's and protocol standards on services you provide to your customers, who have opted-in and bought them. You might have a case if they blocked using other DNS servers, but they dont. And if they included a part in contract that says you're only allowed to use their DNS server (like they say for email port 25), you don't have a case with that either.

btw, this thing seems to only be a problem in USA too - they're not doing anything like that here, only interfere from ISP is that they block outgoing email to port 25.

Re:not only Verisign (1)

TheRaven64 (641858) | more than 4 years ago | (#30016378)

It's not like it's illegal to break RFC's and protocol standards on services you provide to your customers

No, but it might be illegal to break RFCs and protocol standards on services that you advertise support for. There are lots of truth in advertising laws around the world that could be used to enforce this.

My ISP does the DNS redirection thing, but it's only marginally evil. They only do it for domain names starting www and the page that they redirect to has a permanent opt-out button (which doesn't store anything in a cookie; dig works correctly for looking up www.madeup.example.com after setting it). I'd rather they made it opt-in, but this is about as non-evil as you can be and still break the RFC.

Re:not only Verisign (1)

rcolbert (1631881) | more than 4 years ago | (#30016482)

Agreed. Isn't failure to return an NXDOMAIN pretty much the same as any other exploit? I would say that the laws that protect against circumventing the security on a computing system should apply to this false-reply injection technique. Why should some random web operator be given access to download code to my computer when I didn't expressly visit their site?

Re:not only Verisign (1)

sopssa (1498795) | more than 4 years ago | (#30016520)

Agreed. Isn't failure to return an NXDOMAIN pretty much the same as any other exploit? I would say that the laws that protect against circumventing the security on a computing system should apply to this false-reply injection technique. Why should some random web operator be given access to download code to my computer when I didn't expressly visit their site?

Uh. Are you completely forgetting that *YOU* are using *THEIR* DNS servers?

Not that DNS response would be anything like executable code either...

Re:not only Verisign (1)

rcolbert (1631881) | more than 4 years ago | (#30016980)

So should the phone company be allowed to redirect my calls? Does the ISP own the DNS data, or does it merely forward requests? Is DNS governed on the Internet or is it anarchy? And no, a DNS response isn't executable code. Would it be OK for my ISP to redirect me to the highest bidder when I typed 'www.bankofamerica.com' into my browser, or should I have a reasonable expectation that a browser is a pull technology, not a push technology?

Re:not only Verisign (0)

Anonymous Coward | more than 4 years ago | (#30017620)

I would go further than that. Setting up a DNS server to knowingly respond with an incorrect answer is fraud and should be prosecuted as such. They are lying in response to DNS requests for direct financial gain.

Re:not only Verisign (1)

RalphSleigh (899929) | more than 4 years ago | (#30018550)

What's an incorrect answer anyway? To the TCP/IP connection I expect my ISP to provide there is nothing holy about ICANNS DNS root.

Re:not only Verisign (2, Insightful)

rcolbert (1631881) | more than 4 years ago | (#30018880)

I think there's a reasonable expectation that when you attempt to resolve 'foo.com' through the domain name system, that you are returned an address that was in fact registered properly as 'foo.com' using the accepted methods for doing so. I think there's a reasonable expectation when you use the DNS protocol that protocol compliance is expected. Substituting a DNS query response with an IP address that is not registered under the name queried breaks protocol and is fraudulent. The fact that in the use case described the activity is for merely annoying advertising is somewhat beside the point. By participating in DNS your ISP is part of the Internet, and certain standards should be upheld. If your ISP wants to run a private namespace they should either sell it as such or make it obvious that it's not the world wide domain name system we all expect it to be.

Re:not only Verisign (0)

Anonymous Coward | more than 4 years ago | (#30016426)

Then these fucked up ISPs would at least be in violation of a standard, which might give me what I need for a violation-of-contract suit.

Remember: These changes are often invented by marketing and then pushed through even against the explicit protest of the technology people.

Well, you already have cause for your lawsuit - marketing. These ISPs advertise internet connections, and DNS is part of internet service.

If their DNS isn't working, then you can sue for false advertising.

Re:not only Verisign (1)

sopssa (1498795) | more than 4 years ago | (#30016484)

Since when is DNS by legal terms part of internet service? Yes ISPs usually have DNS servers for their customers, because it's usually excepted and to make it customer friendly. But unless they specifically state that you will have access to such service too, or say it in contract, you dont have a legal case. And it's not like you cant use other DNS servers or set up your own. ISP's have usually also had email accounts, news and other services but 2000+ they've started dropping those and you wouldn't have a legal case in those situations either, unless of course, they were specified in your contract.

Internet service is just the line and the ability to connect to internet via your ISP.

Re:not only Verisign (2, Insightful)

ChipMonk (711367) | more than 4 years ago | (#30016602)

When your ISP gives you DNS server addresses in your paperwork...

When your ISP gives you name(s) for POP3 service (and maybe NNTP also), rather than addresses, and those names are within the ISP's domain...

Then a working DNS, administered by the ISP, is part of the service. Without it, the ISP is unable to offer the services stated to their customers in their paperwork.

Yes, maybe it's contracted out. But that doesn't change the ISP's responsibility to its customers, or its liability when service fails.

Re:not only Verisign (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30016628)

Since when is DNS by legal terms part of internet service?

Are you honestly going to claim that the internet, as the vast majority of people know it, won't work without DNS?

Are you honestly going to claim that people are expecting to type http://123.456.789.123/ [123.456.789.123] when they go to a website? Or send email to johndoe@[123.456.789.123] ? (yes, that's a legal email address according to the RFCs)

No, DNS is part of internet service when a company offers internet service to its customers. I'm pretty sure most ISP contracts don't explictly say, "you may use this service to go to www.yahoo.com", but it is an expected part of the deal.

And it's not like you cant use other DNS servers or set up your own.

Actually, many of the ISPs that don't correctly report NXDOMAIN hijack DNS traffic to prevent you from going elsewhere.

ISP's have usually also had email accounts, news and other services but 2000+ they've started dropping those and you wouldn't have a legal case in those situations either, unless of course, they were specified in your contract.

There are expected norms that go along with internet service. And I never claimed you should sue for breach of contract. I said you should sue for FALSE ADVERTISING.

They are advertising internet service, but not delivering.

Re:not only Verisign (1)

sopssa (1498795) | more than 4 years ago | (#30016750)

Yes I know you pretty much need DNS to use internet, hence why all ISPs offer it to their customers. But what would exactly be that false advertising? They are providing you with DNS servers so you can resolve names. Just because their own-run server breaks RFC (with the NXDOMAIN thing), doesn't exactly break any law. It might be bad habit and it might make technical people angry (normal people just dont care), but that's it. Of course, you are always free NOT to use their services or make them know how you feel about such.

Re:not only Verisign (1)

Hognoxious (631665) | more than 4 years ago | (#30017238)

But what would exactly be that false advertising? They are providing you with DNS servers so you can resolve names.

No they are not, because it isn't proper DNS, it's their tainted version of it.

Of course this restaurant doesn't sell dead cat, it clearly says chicken right here on the menu.

Re:not only Verisign (1)

MightyMartian (840721) | more than 4 years ago | (#30017282)

I dunno. Would your car dealer be doing anything wrong if he only supplied three tires for your new car? I mean, sure, it's pretty much necessary to have four tires to do any kind of real driving, but hey, would they be in the wrong if they opted only to give you three?

Re:not only Verisign (1)

spidr_mnky (1236668) | more than 4 years ago | (#30018532)

Given that the problem would be immediately apparent, I wouldn't have to explain it (let alone repeat the explanation) to any observers, and even if left without legal recourse I could fix the problem myself for a relatively low one time cost, I think I might rather get shorted the tire than have my internet service subtly broken -- which it is.

Re:not only Verisign (0)

Anonymous Coward | more than 4 years ago | (#30017322)

Yes I know you pretty much need DNS to use internet, hence why all ISPs offer it to their customers. But what would exactly be that false advertising?

They are advertising internet service and not delivering internet service. Functioning DNS is part of internet service.

They are providing you with DNS servers so you can resolve names. Just because their own-run server breaks RFC (with the NXDOMAIN thing), doesn't exactly break any law.

False advertising IS against the law.

Re:not only Verisign (1)

dotgain (630123) | more than 4 years ago | (#30017452)

You're being utterly unreasonable. ISPs "usually" have DNS servers in the same way libraries "usually" have a dictionary.

Re:not only Verisign (0)

Anonymous Coward | more than 4 years ago | (#30016794)

Marketing people know what you wan't, you don't. Simple as that.

what it is becoming (3, Interesting)

phantomfive (622387) | more than 4 years ago | (#30016412)

Looks like this article is more about, "what DNS is becoming but I don't like." He may not like it, but that's what's happening with DNS.

Not that I particularly like it either, but then I wasn't too happy when the word 'hacker' changed to mean 'someone who breaks into your computer.' Nor was I particularly happy about masquerading becoming a popular routing technique, instead of switching to IPv6. And yet, that's what happened. Sometimes technologies are twisted in ways you don't intend or like.

Re:what it is becoming (2, Insightful)

greensoap (566467) | more than 4 years ago | (#30016538)

I would argue tht IP Masquerading became popular because all of the home consumers that had a single ip address access point to their ISP and multiple devices in the home that needed a connection. High speed home access got affordable and prevalent (outside of major cities) right around '99. At the same time, home access network gateways started having an internet port and four internal network ports with NAT built in to provide the private-public IP translation. IPv4 vs. IPv6 was not as much as an issue as ISP's not wanting to encourage home users to use multiple machines (increasing bandwidth). You might argue that ISP's didn't offer multiple public IPs because of scarcity, but that wasn't true in '99-'00. It was purely to discourage bandwidth usage and justify charging more for more robusts services that provided multiple IPs.

Re:what it is becoming (2, Insightful)

phantomfive (622387) | more than 4 years ago | (#30016650)

In fact, that was a great use for masquerading, to get around silly limits by ISPs. The objection is that masquerading eventually became a crutch to avoid switching to IPv6, which wasn't a great use for masquerading.

Re:what it is becoming (1)

Jay L (74152) | more than 4 years ago | (#30018224)

Looks like this article is more about, "what DNS is becoming but I don't like."

What DNS is not is a mapping service or a mechanism for delivering policy-based information. DNS was designed to express facts, not policies.

Erm.. didn't Paul create MAPS to explicitly provide - and later monetize - the RBL? Wasn't the RBL a "directory service"? Didn't it map IPs to policy-based information?

I agree with the point he's trying to make; I hate NXDOMAIN hijacks too. I don't get the rant about CDNs, though; seems to me that as long as they're controlled by the domain owner, not a man-in-the-middle, there's no particular distinction between a CDN and plain old round-robin load-balancing.

Yep. It's just a rant on "ways to use DNS that Paul Vixie doesn't like".

Re:what it is becoming (1)

mibh (920980) | more than 4 years ago | (#30019076)

Erm.. didn't Paul create MAPS to explicitly provide - and later monetize - the RBL? Wasn't the RBL a "directory service"? Didn't it map IPs to policy-based information?

MAPS was created to stop spam. Monetizing it was a late necessity due to the need to pay lawyers, but I'm still down about USD 1.0M.

We mapped IP's to policy based information, using DNS to deliver that data. All DNS responses issued by our DNS servers were absolutely factual in the policy they expressed.

Re:what it is becoming (1)

Balial (39889) | more than 4 years ago | (#30018296)

Came here to say this. Mod parent up.

DNS provides a mechanism to request a mapping from Name -> Numerical IP. Not a lot more, nothing less.

Saying the crap they're pulling with it is "not DNS" is just a lie.

Re:what it is becoming (0)

Anonymous Coward | more than 4 years ago | (#30019010)

A couple years ago Nominum et al were blabbing endlessly about telephone numbers and RFID databases and all kinds of crap that they were trying to sell under the "we know DNS and this is just like DNS" wrapper, and Vixie wasn't crying about that.

This is a good opportunity to say... (1)

Interoperable (1651953) | more than 4 years ago | (#30016440)

Fuck you Bell! Give me my NXDOMAIN back.

Re:This is a good opportunity to say... (1)

John Hasler (414242) | more than 4 years ago | (#30018766)

They forcing you to use their servers?

Re:This is a good opportunity to say... (1)

Interoperable (1651953) | more than 4 years ago | (#30018850)

Obviously not, I could use openDNS, but I still disagree with the practice. I also just like any opportunity to say "Fuck you Bell" for any number of reasons (net neutrality, anti-competitive practices, low transfer caps, terrible prices, patchy connectivity and a terrible modem).

Breaking the standards to implement policy (3, Interesting)

kimvette (919543) | more than 4 years ago | (#30016460)

Breaking the standards to implement policy is a good thing sometimes. Take SPF records for example: if they were to become widespread, then spam could very easily be reduced by probably 99%.

SPF (0)

Anonymous Coward | more than 4 years ago | (#30016762)

Breaking the standards to implement policy is a good thing sometimes. Take SPF records for example: if they were to become widespread, then spam could very easily be reduced by probably 99%.

But SPF is not implementing policy; SPF is a form of "facts".

An SPF record is nothing more than an RR record (either TXT or type 99/SPF) in a particular format. The DNS client (mail server) goes out and asks 'please give me the TXT record for this domain'. DNS returns a fact: the record itself or 'does not exist'. What you do with that record is a matter of policy.

What various ISPs did/do is take the query and return whatever the hell they feel like, i.e., not return 'does not exist' but rather something else. This is not returning facts, but returning lies (the definition of a lie being 'a statement that you know is not true, but pretend that is').

Re:Breaking the standards to implement policy (3, Informative)

DaveGillam (880499) | more than 4 years ago | (#30016948)

SPF, SenderID, and DKIM are not spam-fighting techniques. They are forgery-fighting techniques. Some spammers use SPF and SenderID records to give their spam a higher sense of legitimacy. A spammer cannot forge "paypal.com" because Paypal publishes SPF records. A spammer CAN pretend to be Paypal by using a look-alike domain with its own set of SPF records (ie: paypall.com, paypal.org). SPF and SenderID simply publish what IPs are authorized to send email claiming to be from a particular domain. DKIM does essentially the same thing, but is arguably better since it uses a cryptographic mechanism to assure the message in question was not appreciably altered in transit.

Re:Breaking the standards to implement policy (1, Informative)

Anonymous Coward | more than 4 years ago | (#30017256)

Nonsense, SPF does absolutely nothing to stop spam. In fact, because spammers have jumped on the SPF bandwagon pronto, the presence of an SPF record is a reasonable indicator that the message in question might be spam.

CDNs are good thing (3, Insightful)

jcam2 (248062) | more than 4 years ago | (#30016492)

While I totally agree that overriding NXDOMAIN responses is evil, returning different DNS responses based on the clients location or for load balancing purposes is an extremely useful technique for last companies serving a large amount of web traffic. For example, check out what www.google.com resolves to from different countries or even at different times - depending on where you look it up from and what network links are up, you will get a different set of IPs.

Sure, determining a browser's location from the DNS client source IP is not totally reliable .. but it is accurate enough to significantly improve user-visible responsiveness by avoiding un-necessary cross-planet network traffic. And even if google gets it wrong, they are no worse off than if they never implemented this in the first place.

Re:CDNs are good thing (2, Insightful)

Ash-Fox (726320) | more than 4 years ago | (#30016524)

I suspect anycast would be a better method, honestly.

Re:CDNs are good thing (0)

Anonymous Coward | more than 4 years ago | (#30016816)

How much does anycast cost? Round Robin DNS load balancing is dirt cheap (No-ip will do it for $15/yr).
There's a patch for bind that will do geographic redirection as well.

  How much does an anycast solution cost? How much for an anycast solution with automatic failover? My guess is it's pretty expensive, and you'll likely need to be on the same ISP the same ISP in your multiple datacenters. That could be really tough, or even impossible if you have multiple datacenters in multiple countries.

Re:CDNs are good thing (1)

Ash-Fox (726320) | more than 4 years ago | (#30016938)

How much does anycast cost?

Usually free by most IXPs, provided you have a link to them, but also datacenter providers can usually forward on requests to do this too.

How much for an anycast solution with automatic failover?

No idea, I've never had others handle my hardware in these situations.

My guess is it's pretty expensive

For the anycast, it isn't.

and you'll likely need to be on the same ISP the same ISP in your multiple datacenters.

Nope.

That could be really tough, or even impossible if you have multiple datacenters in multiple countries.

Uh... The whole point of anycast is that you have multiple datecenters in various locations around the world.

Re:CDNs are good thing (1)

Ash-Fox (726320) | more than 4 years ago | (#30016962)

Uh... The whole point of anycast is that you have multiple datecenters in various locations around the world.

*shakes fist* Damn you spell checker! Made me look like a 'tard.

Re:CDNs are good thing (1)

KonoWatakushi (910213) | more than 4 years ago | (#30017014)

I don't know, how much does an anycast address cost? So much that Google or Akamai can't afford it? (Also, RR load balancing is a separate thing entirely.)

Regarding the CDNs, you didn't read the article did you; it is fundamentally flawed. The CDN does not choose a server based upon proximity to the endpoint, but rather to the recursive resolver through which the DNS request passed.

Anycast does exactly what you want.

Re:CDNs are good thing (1)

tajribah (523654) | more than 4 years ago | (#30017400)

Could anycast work at all with TCP connections?

Re:CDNs are good thing (1)

Ash-Fox (726320) | more than 4 years ago | (#30017920)

Could anycast work at all with TCP connections?

Yes!
For one, Google is using it right now to serve HTTP content to a lot of providers out there.

Also, even smaller non-commercial entities like the IRC network Dalnet [wikipedia.org] are using anycast in a TCP based setup.

Re:CDNs are good thing (2, Informative)

rekoil (168689) | more than 4 years ago | (#30017418)

I suspect anycast would be a better method, honestly.

And you'd be completely, utterly wrong. I've seen anycast resulting some mind-numblingly stupid site selection choices, usually due to a local ISP's BGP policy - and when I say "stupid" I mean "all users of ISP X in New York City getting sent to a mirror in Sydney, Australia instead of the site downtown".

This might be OK for simple DNS queries, but for actual web sites it is a True Path To Pain.

Re:CDNs are good thing (1, Flamebait)

Ash-Fox (726320) | more than 4 years ago | (#30017858)

Note: Most large CDNs are setup to use anycast, from Akamai to Google - although Akamai makes use of also DNS geolocation in certain instances.

And you'd be completely, utterly wrong.

...

I've seen anycast resulting some mind-numblingly stupid site selection choices, usually due to a local ISP's BGP policy - and when I say "stupid" I mean "all users of ISP X in New York City getting sent to a mirror in Sydney, Australia instead of the site downtown".

So, a configuration error from one ISP makes it completely, utterly wrong for every single person everywhere and these sort of errors are less likely to occur with DNS geolocation which work based on the resolver's geo ip location (note that international ISPs like Roadrunner, Virgin, AOL have the same DNS entries with transparent caching setups at various points) rather than what is most of the time, correctly configured network peering?

You're funny, can I subscribe to your newsletter?

Re:CDNs are good thing (2, Informative)

QuantumRiff (120817) | more than 4 years ago | (#30016802)

He argues that the problem is, the client doesn't usually hit the DNS server, the clients DNS server only does after it expires its own local cache.

Just because your ISP's DNS servers are sitting in LA, doesn't mean you are. You could be on Seattle, and using those DNS servers, or out in the world, on the work VPN, using their DNS server in downtown Chicago. Thats how many people get around regional restrictions now, in fact.

People have shoehorned DNS into something that it is neither Efficient, or designed to do.

Re:CDNs are good thing (1)

sopssa (1498795) | more than 4 years ago | (#30017180)

That might be the case in USA, but in other parts of world you're 99% of the time using DNS servers in your own country, which is pretty much the closest area CDN can have their things anyway. Yes you could use a vpn, have changed your dns servers and so on, but you're the minority case there, and even then it works normally, probably just not as efficiently as it could.

It is a completely different situation when you look it at the whole world view.

Re:CDNs are good thing (2, Informative)

John Hasler (414242) | more than 4 years ago | (#30018754)

> For example, check out what www.google.com resolves to from different
> countries or even at different times - depending on where you look it up from
> and what network links are up, you will get a different set of IPs.

According to Google I spent the last two weeks of October jumping around between Japan, France, Spain, and Britain.

I never left Wisconsin. And no, I was not using Tor or a VPN or any such thing.

Paging Kaminsky (1)

Gothmolly (148874) | more than 4 years ago | (#30016494)

I'll listen to Vixie once he justifies the Kaminsky bug.

Re:Paging Kaminsky (1)

rekoil (168689) | more than 4 years ago | (#30017456)

Vixie didn't justify it - he acknowledged that it was a design flaw with no practical airtight fix besides DNSSEC - but he was one of the main players that coordinated the patches to get source port randomization, the best possible fix easily deployable, out there before the bug became public knowledge.

BTW have you ever met the man? I have.

The two examples don't seem anything alike ... (4, Interesting)

Wrath0fb0b (302444) | more than 4 years ago | (#30016598)

Ok, we all agree that funneling NXDOMAIN responses to your advertising portal is wrong. It's evil, manipulative, blah blah, not going to defend it.

What really bothers me is his rationale for the first example -- using DNS responses to properly route content to the right node in your CDN. Sure, it increases the "floor" request time by eliminating cached response closer to the user, but it also greatly decreases the average request time by serving the content from the nearest node. It seems to me like it's a huge net win for the total amount of network traffic -- you lose by having a whole lot of extra (tiny) DNS requests and cache-misses but you win huge by having Microsoft's latest service pack (many MB) traverse the smallest possible number of hops.

His second complaint, that this is somehow lawsuit-fodder, is ridiculous on its face. Akamai works incredibly well for content providers that don't want to invest in lots of redundant distribution resources. They have every incentive to outsource it to a company that will provide the users with a much faster experience and virtually nothing to lose. Most users will give up on a website if it can't serve their requests in a reasonable amount of time and I don't see a revolution in user patience about to happen.

Finally, his "solution" -- that CDNs rely on dumb ("psuedorandom" is his fancy was of saying dumb) assignment of users to distribution nodes -- is a huge step backwards. It would mean more stress on the long-haul fiber for absolutely no good reason as requests were served geographically distance from their origin. By the way, it's interesting that he labels his dumb response "truthful", as if Akamai lied when they assign me to a different node than my Australian buddy because we live half a globe apart? That's ridiculous. We each asked for a server that can give us www.amd.com, we got a damn truthful answer. In fact, we each got the best possible answer we could. That's not lying, it's giving each of us a finer-grained optimal answer than we would have received under his lame suggestion.

Please don't confuse his (for the forgoing reasons, silly) rant against CDNs with his rightful indignation at NXDOMAIN redirects. They are totally different animals.

Re:The two examples don't seem anything alike ... (4, Insightful)

BitZtream (692029) | more than 4 years ago | (#30016894)

Uhm, everyone can connect to the exact same webserver cluster and THEN be redirected with no involvement what so ever from dynamic DNS.

Akamai could use DNS with traditional cache times and still redirect to the right node via http redirects. DNS caching would still work flawlessly and the actual request could be handled over the protocol that actually has knowledge of redirection and ways to say 'this is a permeant redirection' or 'this is only temporary, next time ask me again'

I'm not against using DNS this way, but there are certainly alternatives that would accomplish the same thing just as well.

Re:The two examples don't seem anything alike ... (0)

Anonymous Coward | more than 4 years ago | (#30017834)

The overhead of doing what you describe in a grand scale is often greater than the actual content being delivered from a less-than-precise location for a small portion of users. This is why this technique is not used as often. You are catering to a small portion of broken users/ISPs who don't keep their DNS caches close to the users, or have an overly complex DNS setup.

Re:The two examples don't seem anything alike ... (1)

rmm4pi8 (680224) | more than 4 years ago | (#30017962)

As the senior systems engineer for a website with points of sale all over the world but datacenters only in the U.S., and a heavy Akamai user, I can tell you that the amount of time for a 301 (requires tcp handshake and http headers) vs the time for DNS is nearly an order of magnitude, so it's a no-brainer to use DNS for this sort of thing.

Re:The two examples don't seem anything alike ... (0)

Anonymous Coward | more than 4 years ago | (#30017050)

Unfortunately, you are treating these as totally different animals when they are not. He is opposed to using DNS to redirect traffic which is a reasonable statement. NXDOMAIN and CDN's are both related to redirecting responses. He did not say he is against hosting content close to the request. There are other ways to solve that need.

Re:The two examples don't seem anything alike ... (0)

Anonymous Coward | more than 4 years ago | (#30017142)

The point is that CDN via DNS doesn't work well because the IP that is used for the query is NOT the end user client, but instead another client that acts as a DNS server for the end user. I have had this argument before. The techniques are at best spotty for CDN.

News to me (2, Interesting)

Anonymous Coward | more than 4 years ago | (#30016744)

Browser implementers including Microsoft and Mozilla have begun doing DNS queries while collecting URIs from their graphical front end in order to do fancy "auto-completion." This means that during the typing time of a URI such as http://www.cnn.com/, the browser will have asked questions such as W, WW, WWW, WWW.C, WWW.CN, WWW.CNN, and so on. It's not quite that bad, since the browsers have a precompiled idea of what the top-level domains are. They won't actually ask for WWW.C, for example, but they are now asking for WWW.CN, which is in China, and WWW.CNN.CO, which is in Colombia.

Which browsers actually do this? Is Mozilla actually participating in that nonsense?

Re:News to me (1)

stephanruby (542433) | more than 4 years ago | (#30018722)

Which browsers actually do this? Is Mozilla actually participating in that nonsense?

I hope so, otherwise I'm switching back to IE prompto.

facts (2, Interesting)

epine (68316) | more than 4 years ago | (#30017246)

Interesting echo from FAQ [monotone.ca] which I read the other night. The original contains a lot of italic I'm not going to replicate.

An important fact about monotone's networking is that it deals in facts rather than operations. Networking simply informs the other party of some facts, and receives some facts from the other party. The netsync protocol determines which facts to send, based on an interactive analysis of "what is missing" on each end. No obligations, transactions, or commitments are made during networking. For all non-networking functions, monotone decides what to do by interpreting the facts it has on hand, rather than having specific conversations with other programs.

The closer one lives to the foundation, the stronger the argument for a fact-based architecture. DNS is about as foundational as one can get in internet security. Interesting, the architecture of monotone is highly cryptographic, and somewhat reminiscent of DNSSEC from the 40,000 foot view.

The people who don't see the problem with mixing fact and policy are likely the same people who don't regard it as a big problem that your credit card numbers is widely distributed in plain text: to every vendor you do business with, many of their employees, the trash collectors out back, and their governing union.

Why is it that some guy on the GPS thread complained that the police are free to criminalize driving under the age of 18 (to collect more revenue) and effectively act as their own judge, jury, and executioner (in the corrupt towns where this practice becomes established), but there is generally less complaint about VISA architecting themselves the same powers?

If the police collected a 2% slice of gasoline revenues and awarded bonus points for trips to Hawaii in any year where you keep your license clear and generally found other clever ways to rebate unpenalized drivers the 2% (with enough hidden strings attached it doesn't ultimately cost them much), would they be as loved as the VISA company? Just asking.

Dan Ariely asks, Are we in control of our own decisions? [ted.com]

Turns out it depends on how you frame the question. If the question is: do you want the DNS system to become so badly abused it might as well have been designed by a bank, you might get one answer. If the question is: do you want DNS optimized so your porn streams with ten seconds less delay between clips, you probably get the other answer.

I vote for facts. That said, I will say one thing in defense of Akamai: one can construe CDN as a fact based system, if the factoids you are dealing in that "this IP address can deliver the content you want". Ideally, you already have a secure hash signature of the file you're seeking so it can't play too many games with the notion of "the file you want".

I don't see why DNS needs the facts to be so low level as "this is the same IP address everyone else gets for the same query". There could be a good reason, but Vixie's excellent article fell short of providing it.

Ideally, the CDN problem would have been solved with another layer of delegation: the content you are seeking can be obtained from a vast array of different places, here's an authoritative address for a highly overloaded server; if you're in a hurry go talk to xxx.xxx.xxx.xxx to find a location near you. Then the caching proxy can send a request with the header "I represent a client in the Pacific Northwest" rather than sending back to the client the name of the video store where client's attorney rents his own porn.

Did TFA do ANY fact-checking? (0, Flamebait)

SanityInAnarchy (655584) | more than 4 years ago | (#30018214)

Just in the first paragraph:

DNS (Domain Name System) is a hierarchical, distributed, autonomous, reliable database.

How is it autonomous? Or at least, how is it more autonomous than any other database, certainly any database which meets the other three criteria?

The first and only of its kind,

Sorry, no. Maybe the first, but it's certainly not the only. There are many other databases which offer distributed, reliable storage, and at least one I can think of which is hierarchical.

it offers realtime performance levels

Realtime? Are you sure?

I mean, aside from slow DNS servers, there's the fact that while reads may be realtime, updates are anything but. Just try changing IPs and watch how long it takes the change to propagate. Real databases measure this kind of thing in seconds or minutes -- DNS measures it in days.

Every TCP/IP traffic flow including every World Wide Web page view begins with at least one DNS transaction.

Bullshit. Want proof? Buy a Linksys router and hit http://192.168.1.1/ to configure it. Well, look at that! No DNS needed!

There are indeed people who run webpages off of IPs.

Alright, I didn't have to rip it apart that much, and maybe I'm nitpicking. But come on, the number of things which are simply wrong is staggering -- the BS-to-word-count ratio is quite high.

Do I want to read the rest of the article?

Maybe. It seems much cleaner and more accurate than that first paragraph, but it wouldn't have been that hard, especially for a guy with those credentials, to get it right.

Protocols evolve (0)

Anonymous Coward | more than 4 years ago | (#30018338)

Protocols evolve and to new stuff that the original designers didn't think of. That is just the way it is. DNS does not have to be inline to be able to enforce a policy. This makes it inexpensive for service providers to implement "value added services" in DNS. The alternative is to do it with DPI boxes from Allot, Procera or Cisco and sit inline. I rather have some NXDOMAIN responses that I can opt out from, than somebody that sniffs on all my traffic.

Mr Vixie should know that service providers don't listen to what the hell IETF, ARIN and other non profit organizations have to say. And I agree with other comments here as well, him sitting on the Advisory Board for Nominum is disturbing. I have never heard anybody saying anything good about Nominum since they helped with the development of Bind 9 about 10 years ago. /Mr.75

DNS is also not an inventory system (1)

Neil Watson (60859) | more than 4 years ago | (#30018614)

I see too many organizations using DNS as an inventory system (e.g prtsertor01) resulting in host names more difficult to remember than IP addresses.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...