[Chapter-delegates] net neutrality vs DNS redirection

Marcin Cieslak saper at saper.info
Tue Jul 22 12:28:16 PDT 2008 

Narelle Clark wrote:
>> From: Franck Martin [mailto:franck at sopac.org] Sent: Tuesday, 22
>> July 2008 12:30 PM
>> 
>> For anti-spam measure, in postfix, sendmail, spamassassin, it is a
>> common test to check if sender domain exists and has an MX record.
> 
> These are server based systems, and would not have been affected by
> the DNS redirection we were discussing. In that example, I think we
> can assume that the local ISP would not have redirected its own mail
> servers, nor would any third party mail servers have been affected.

Well, actually this is not a DNS redirection. This is an HTTP 
redirection in a way. Please keep in mind that DNS, HTTP, SMTP etc. are 
different protocols. One shouldn't define the Internet as "the Web" and 
the client as the browser.

Take instant messaging. Or something like Skype. Or file sharing. Or 
just plain "ping". Or FTP.

All of those applications will be broken if the DNS is broken. I would 
say, any application _except the WWW_ will be broken. And there is no 
easy way to fix them!

See the following example: my Jabber (instant messaging) client is set 
to go to the "jabber.sgh.waw.pl" server. It sends my username and 
password there. If I make a typo, say, "jaber.sgh.waw.pl",
the DNS protocol will say:

(1) % dig jaber.sgh.waw.pl

; <<>> DiG 9.4.2 <<>> jaber.sgh.waw.pl
;; global options:  printcmd
;; Got answer:
(2) ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11010
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;jaber.sgh.waw.pl.              IN      A

;; AUTHORITY SECTION:
sgh.waw.pl.             86400   IN      SOA     hermes.sgh.waw.pl. 
hostmaster.sgh.waw.pl. 2008070302 43200 7200 630000 86400


This is more or less raw protocol exchange. I issue a query with a dig 
command (1) and I receive a DNS packet coming with the answer (2).

What's included there is the "status: NXDOMAIN" - this means that this 
DNS query resulted in error, "no such domain". The rest is only the 
answer who is responsible for the domain in question.

If somebody does something like the mentioned hijack I will get 
something like this:

; <<>> DiG 9.4.2 <<>> jabber.sgh.waw.pl
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7089
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jabber.sgh.waw.pl.             IN      A

;; ANSWER SECTION:
jabber.sgh.waw.pl.      86400   IN      A       11.12.13.14

What happens? The status is "NOERROR" that means "The NAME is found, and 
here is its IP address".


So, what does my instant messaging do? Instead of bailing out and saying 
immediately it will try to establish the TCP connection to port 5223.
Good, if it receives the connection reset immediately, but it may also 
be blackholed and wait for some time for the connection to time out. And 
it will try to connect again and again and again...

Another example: what if you ping something to see if that's reachable?
Suppose you make a mistake in the address... and voilà, you have a 
response. How do you find out you've made a mistake?

Many monitoring systems do exactly this every few minutes. I think 
nobody wants to realize such configuration mistake having a 
blood-thirsty CEO on the line.

> The principle I was discussing was that of a tier 3 ISP and its
> directly connected customers, not a higher order one. Generally, mail
> servers are not run on consumer services. We also do not know whether
> this was precluded in the specific implementation, nor whether it
> could be...

The Internet is not about "consumers" vs. "content providers". The 
network _works_ because it does not really distinguish between "small 
guy" and the "big guy". There is only some difference between end-hosts 
and routers. I really recommend reading section 1.1 of the RFC 1122 for 
rationale.

In other words, how much iron/fiber/money you put behind the IP address 
is totally irrelevant from the point of view of the protocol.

I am running a local SMTP (with UUCP!) and a Web server and few database 
servers on my laptop. Thanks to dynamic DNS service I can direct anyone 
to those resources as long as I am on the publicly reachable IP address.

If you start Skype, your computer (no matter how small) can participate 
in exchange calls from around the world, neither of them is originated 
or terminated at your machine. Modern revision control software (git, 
mercurial, etc.) does not even have a notion of "server" or "client", 
there is just "somebody I talk to".

There are more and more innovative services coming. We should not 
absolutely accept the situation where the "consumer" is confined just to 
do "some Web browsing" and "maybe email" just because they just pay
a $20 monthly subscription fee.

If the service being sold is being called "The Internet", that the way 
it has to be. Otherwise we would still be in era of CompuServe.

-- 
               << Marcin Cieslak // saper at saper.info >>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 273 bytes
Desc: OpenPGP digital signature
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20080722/56135a3b/attachment.asc>

More information about the Chapter-delegates mailing list