[Chapter-delegates] net neutrality vs DNS redirection

Alejandro Pisanty apisan at servidor.unam.mx
Tue Jul 22 15:40:40 PDT 2008 

Marcin,

YES!!

That is why we are the Internet Society and not the OneWebDay society.

We should all be grateful for your excellent examples and clear 
discussion.

I will forward your mail - since the list is archived it is public ;-) - 
to my chapter members with a title "Internet or Web?" or something 
similar.

Yours,

Alejandro Pisanty


.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . .  .  .  .  .  .
      Dr. Alejandro Pisanty
UNAM, Av. Universidad 3000, 04510 Mexico DF Mexico

Tels. +52-(1)-55-5105-6044, +52-(1)-55-5418-3732

*Mi blog/My blog: http://pisanty.blogspot.com
*LinkedIn profile: http://www.linkedin.com/in/pisanty
*Unete al grupo UNAM en LinkedIn, http://www.linkedin.com/e/gis/22285/4A106C0C8614

---->> Unete a ISOC Mexico, http://www.isoc.org
  Participa en ICANN, http://www.icann.org
.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .


On Tue, 22 Jul 2008, Marcin Cieslak wrote:

> Date: Tue, 22 Jul 2008 21:28:16 +0200
> From: Marcin Cieslak <saper at saper.info>
> To: Narelle Clark <Narelle.Clark at optus.com.au>
> Cc: "'chapter-delegates at lists.isoc.org'" <chapter-delegates at elists.isoc.org>
> Subject: Re: [Chapter-delegates] net neutrality vs DNS redirection
> 
> Narelle Clark wrote:
>>> From: Franck Martin [mailto:franck at sopac.org] Sent: Tuesday, 22
>>> July 2008 12:30 PM
>>> 
>>> For anti-spam measure, in postfix, sendmail, spamassassin, it is a
>>> common test to check if sender domain exists and has an MX record.
>> 
>> These are server based systems, and would not have been affected by
>> the DNS redirection we were discussing. In that example, I think we
>> can assume that the local ISP would not have redirected its own mail
>> servers, nor would any third party mail servers have been affected.
>
> Well, actually this is not a DNS redirection. This is an HTTP redirection in 
> a way. Please keep in mind that DNS, HTTP, SMTP etc. are different protocols. 
> One shouldn't define the Internet as "the Web" and the client as the browser.
>
> Take instant messaging. Or something like Skype. Or file sharing. Or just 
> plain "ping". Or FTP.
>
> All of those applications will be broken if the DNS is broken. I would say, 
> any application _except the WWW_ will be broken. And there is no easy way to 
> fix them!
>
> See the following example: my Jabber (instant messaging) client is set to go 
> to the "jabber.sgh.waw.pl" server. It sends my username and password there. 
> If I make a typo, say, "jaber.sgh.waw.pl",
> the DNS protocol will say:
>
> (1) % dig jaber.sgh.waw.pl
>
> ; <<>> DiG 9.4.2 <<>> jaber.sgh.waw.pl
> ;; global options:  printcmd
> ;; Got answer:
> (2) ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11010
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;jaber.sgh.waw.pl.              IN      A
>
> ;; AUTHORITY SECTION:
> sgh.waw.pl.             86400   IN      SOA     hermes.sgh.waw.pl. 
> hostmaster.sgh.waw.pl. 2008070302 43200 7200 630000 86400
>
>
> This is more or less raw protocol exchange. I issue a query with a dig 
> command (1) and I receive a DNS packet coming with the answer (2).
>
> What's included there is the "status: NXDOMAIN" - this means that this DNS 
> query resulted in error, "no such domain". The rest is only the answer who is 
> responsible for the domain in question.
>
> If somebody does something like the mentioned hijack I will get something 
> like this:
>
> ; <<>> DiG 9.4.2 <<>> jabber.sgh.waw.pl
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7089
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;jabber.sgh.waw.pl.             IN      A
>
> ;; ANSWER SECTION:
> jabber.sgh.waw.pl.      86400   IN      A       11.12.13.14
>
> What happens? The status is "NOERROR" that means "The NAME is found, and here 
> is its IP address".
>
>
> So, what does my instant messaging do? Instead of bailing out and saying 
> immediately it will try to establish the TCP connection to port 5223.
> Good, if it receives the connection reset immediately, but it may also be 
> blackholed and wait for some time for the connection to time out. And it will 
> try to connect again and again and again...
>
> Another example: what if you ping something to see if that's reachable?
> Suppose you make a mistake in the address... and voilà, you have a response. 
> How do you find out you've made a mistake?
>
> Many monitoring systems do exactly this every few minutes. I think nobody 
> wants to realize such configuration mistake having a blood-thirsty CEO on the 
> line.
>
>> The principle I was discussing was that of a tier 3 ISP and its
>> directly connected customers, not a higher order one. Generally, mail
>> servers are not run on consumer services. We also do not know whether
>> this was precluded in the specific implementation, nor whether it
>> could be...
>
> The Internet is not about "consumers" vs. "content providers". The network 
> _works_ because it does not really distinguish between "small guy" and the 
> "big guy". There is only some difference between end-hosts and routers. I 
> really recommend reading section 1.1 of the RFC 1122 for rationale.
>
> In other words, how much iron/fiber/money you put behind the IP address is 
> totally irrelevant from the point of view of the protocol.
>
> I am running a local SMTP (with UUCP!) and a Web server and few database 
> servers on my laptop. Thanks to dynamic DNS service I can direct anyone to 
> those resources as long as I am on the publicly reachable IP address.
>
> If you start Skype, your computer (no matter how small) can participate in 
> exchange calls from around the world, neither of them is originated or 
> terminated at your machine. Modern revision control software (git, mercurial, 
> etc.) does not even have a notion of "server" or "client", there is just 
> "somebody I talk to".
>
> There are more and more innovative services coming. We should not absolutely 
> accept the situation where the "consumer" is confined just to do "some Web 
> browsing" and "maybe email" just because they just pay
> a $20 monthly subscription fee.
>
> If the service being sold is being called "The Internet", that the way it has 
> to be. Otherwise we would still be in era of CompuServe.
>
> -- 
>              << Marcin Cieslak // saper at saper.info >>
>
>

More information about the Chapter-delegates mailing list