Whose Internet is it? [LWN.net]

Verisign is, of course, the company that once had a monopoly in the registration of .com and .net domain names. That monopoly has been broken, but Verisign is still the maintainer of the underlying database. This job is a nice cash cow for Verisign; all it needs to do is keep the database running, and it can extract an annual rent from every .com and .net domain out there. Many people would be happy with such a business.

Verisign, it would seem, wants more than that. So, at the beginning of this week, the company slipped a little "wild card" entry into the databases for .com and .net. The wild card entry provides an answer for any domain query that does not otherwise appear in the database; it is a default answer which now appears instead of the "no such domain" response that came before.

What does this wild card do? If you look up something that doesn't exist, say "scolinuxlicense.com", you'll get back an IP address (currently 64.94.110.11). If you send mail to that address, you get the world's stupidest SMTP server (if you're bored, try a command like "telnet bogusverisignhost.net smtp" and type five lines of random junk at it). Web queries, however, go to the company's "sitefinder" service. There, the user is confronted with a search engine and paid links aimed to help said user find what they were really after. Note that, according to the terms of use:

The information provided through the VeriSign Services is not necessarily complete and may be supplied by VeriSign's commericial [sic] licensors, advertisers or others.

In other words, it's really just another low-class domain hijacking scam.

In this case, however, there is more to it. Verisign has, by making this change, fundamentally altered the way the Internet operates. A whole class of diagnostic information - the fact that a given domain lookup has failed - is no longer part of the DNS protocol when .com and .net are involved. This change was not discussed with any of the affected users or other responsible parties, it was simply done. Verisign may have lost its monopoly on front-line domain name registration, but it still seems to think it owns the underlying domains.

The change has had real consequences. For example, spam filtering which relies on domain name existence tests no longer works. Bouncing spam with fake return addresses now has to go through a discussion with Sitefinder's SMTP server. The change is a generally bad idea; to have simply made such a change without so much as a "by your leave" is an act of great arrogance.

The internet, however, is built on free software. There is already a patch available from ISC for BIND 9 which defeats the new wildcard entries. Linux users can find a program on this page which uses netfilter to fix Sitefinder replies; that page also has pointers to patches for a number of DNS servers and mail transfer agents. Verisign may or may not decide to back down on this "service," but, since we own the infrastructure of our net, we can fix the problem regardless - this time, at least. Verisign's next move may not be so easy to counter.

(Log in to post comments)

Whose Internet is it?

Posted Sep 18, 2003 2:13 UTC (Thu) by zone (guest, #3633) [Link]

Another important concern is the privacy of people who mistype .com and .net domain names (aka everyone). Taking a look at the Alexa Traffic Details for verisign.com, we see that Verisign has risen from a traffic ranking of ~4000 to the top 100 in just two days time. That puts it above Tripod, About.com, and yes, even above Doubleclick.

The software to analyze who meant to go where, and where they were coming from (Referer: header), is simple enough, and you can bet Verisign is already thinking about or has created the software that generates detailed reports on just that. Advertisers and marketing agencies of all breeds would love to pay for that kind of information, and it's reasonable to assume Verisign will continue to refine its software to tie typos to individuals over time.

Another patch

Posted Sep 18, 2003 5:57 UTC (Thu) by xanni (subscriber, #361) [Link]

You may want to use this updated patch instead:

http://tinydns.org/djbdns-1.05-ignoreip2.patch

Hope that helps,
Andrew Pam

Another patch

Posted Sep 18, 2003 10:26 UTC (Thu) by hummassa (subscriber, #307) [Link]

In the same spirit, people who use dnsmasq at home may want to get the latest
version (1.15), that allows you to block one address, or to apply my patch over
1.15, that allows you to block a list of addresses:

http://massa.cable.nu:8008/sansdebian2.diff

Whose Internet is it?

Posted Sep 18, 2003 8:10 UTC (Thu) by arcticwolf (guest, #8341) [Link]

Verisign's next move may not be, but then, maybe we shouldn't wait for Verisign to make the next move in the first place, but rather make it ourselves. Things like this just show that such fundamental things as dns rootservers, domain registration etc. should not be placed in the hands of companies (that are ultimately interested in only one thing, namely, making as much money as possible) but rather handled by a non-profit organization (or a network of several), pro bono publico.

Whose Internet is it?

Posted Sep 18, 2003 16:53 UTC (Thu) by iabervon (subscriber, #722) [Link]

The current situation is that, for a legitimate domain, you ask the .net server about the domain, and it tells you to ask some other server (the domain's name server). But for a mistyped domain, the .net server just answers. The current BIND fix allows you to say that the top-level nameservers may only delegate, not respond; any direct response is considered a failure.

This means that Verisign could presumably arrange for the top-level nameservers to delegate to Verisign's regular nameservers instead, and have those report the sitefinder address.

For that matter, I suspect that it would be legal DNS for the top-level nameservers to respond directly for names they actually know (e.g., names of nameservers they delegate to, or names they've cached for the allowed time).

email harvesting

Posted Sep 18, 2003 17:25 UTC (Thu) by pflugstad (subscriber, #224) [Link]

The thing about the idiot SMTP server that they're running on the site finder, is that it does take the first couple of lines, then after the 3rd one or so, it spits back and error and hangs up.

Since the first couple of lines typically includes the From: line, this means that Verisign could easily be capturing these From: lines (presumedly real, valid email addresses) and may the From: and To: (which in this case is probably a mistyped email address) relationship as well.

So, what are they going to do with this information? Hmmm, can anyone else say SPAM?? Think how much SPAMMERs would pay for a list of *verified* address (the From: line).

email harvesting

Posted Sep 22, 2003 20:31 UTC (Mon) by TheManInBlack (guest, #8154) [Link]

I'm testing this.... and I encourage others to do so as well.

I created a bogus email account on my mail server. Then sent some emails to a mistyped domain that resolved to the verisign 64.95.110.11

I'm also trying telneting in and putting my BS address in a standard MAIL FROM command.

This new address has never been used and doesn't exist on any web page. I administer this mail server; It's very small, not like an ISPs server so dictionary attacks are unlikely.

We'll see if my honeypot gets any hits.

- MIB

No really , whose Internet is it?

Posted Sep 18, 2003 23:53 UTC (Thu) by giraffedata (subscriber, #1954) [Link]

There's a huge story begging to be reported here. How did Verisign come to have the authority to do this, or did it? When responsibility for DNS serving for .com and .net was handed over by U.S. government authorities years ago, wasn't it done by contracts that keep the control of the actual substance of name serving with some Internet committee?

There's a separate domain registry, right? Isn't there some rule that Verisign has to serve up the information that's in the registry?

Whose Internet is it?

Posted Sep 18, 2003 23:57 UTC (Thu) by Xman (guest, #10620) [Link]

I hate to come out in support of Verisign in any way on this, but there are some issues with their current situation. Currently, when hosting a root server, your revenue is proportional to the amount of domains you host. While your costs are effected by this, they are also effected by the amount of queries you get. As it turns out, in the current "climate", the query count is going up much faster than the domain count. They actually petitioned ICANN to try to come up with a scheme by which they were compensated for increased query traffic, but ICANN wouldn't here of it. This current scheme they are running does mean their revenue will grow porportionally with the number of queries they get.

I suspect in the end, this move is probably going to just end up being a bargaining chip with ICANN. In 6 months not only will many of the top ISP's start blocking the service, but I suspect Versign and ICANN will start making some compromises which move them towards being able to get along.