On Wed, Nov 25, 2009 at 2:58 PM, Jorge Amodio <jmamodio@gmail.com> wrote: [snip]
What needs to be done to have ISPs and other service providers stop tampering with DNS ?
Well, NXDOMAIN substitution, on ISP provided DNS servers, is not "tampering with DNS", anymore than spam/virus filtering/attachment limits, disk quotas, or message expiration on ISP mail servers is "tampering with E-mail", It's ISPs providing their customers with a modified service. Their DNS resolvers, their terms. They _could_ accomplish similar by requiring all their customers utilize a custom web browser, but that would be less convenient. "Tampering with DNS" would be hijacking port 53 UDP packets a customer sent directly to an outside authoritative DNS server, and substituting their own answer. That would be very harmful, especially if the ISP customer is attempting to troubleshoot a DNS issue... Just because someone registered EXAMPLE.COM with one particular internet registry, doesn't mean they own the lookup result for every DNS server in the world. All they have paid for is the creation and maintenance of entries in one particular shared database, and they only have control for the (large) subset of DNS servers that utilize that particular database. People can start new DNS roots, old DNS roots can be superceded, there can even be multiple conflicting private roots. In the long run, the only method to discourage might be a form of blacklisting. If major DNS hosting providers discriminate in the authoritative replies they give, based on asker: *If the IP asking for a DNS record is in the IP range of an ISP that you know substitutes NXDOMAINs with their own reply, then you discriminate against that DNS query source, and don't give them NXDOMAINs. *Why hand them a NXDOMAIN response that they will just substitute? If major DNS providers barred the ISP's overall range from getting any NXDOMAIN replies from the authoritative nameservers, then the ISP would derive no benefit from substituting them, since their acts caused them to be deemed unfit to receive NXDOMAIN responses at all. In addition, their now lack of ability to get NXDOMAIN responses, could be an inconvenience to them, esp. in the operation of mail servers, since latency of certain mail server DNS requests will increase, due to the delay to time out the query (that would be NXDOMAIN if they were allowed to receive NXDOMAIN). *That is: always reply SERVFAIL or send no reply to such blacklisted IP ranges, when the database entry doesn't exist, instead of NXDOMAIN. However, it doesn't really penalize the NXDOMAIN substitution practice too much, unless the root and TLD servers also implement the blacklisting, it only deprives them of benefit. -- As for ccTLDs performing wildcarding, One could consider patches to recursive resolvers to detect the IPs that are wildcarding, and substitute responses detected as the wildcard host IP addresses, with NXDOMAIN. For example, randomly generate 2 test lookups for domains that are unlikely to exist, eg afut429.ahfeai4728.xyz.xx . If both randomized lookups return A record responses for the same IP addresses, then you detected the wildcard method used by that ccTLD. Substitute NXDOMAIN in for any responses for the ccTLD that respond with the same list of A records. In other words: retaliating against NXDOMAIN substitution, by substituting response with those IPs back to NXDOMAIN. -- -J