Synthetic DNS Stirs Controversy:
Why Breaking Is a Good Thing
The Internet Corporation for Assigned Names and Numbers' (ICANN's) Security and Stability Advisory Committee (SSAC) has recommended against the increasingly popular practice of redirecting domain-name-system (DNS) queries. With this practice, instead of receiving a reply stating that a certain domain doesn’t exist, users are presented Web pages containing lists of alternative links.
In 2003, VeriSign stirred up the initial controversy when it began the practice of redirecting users to its own advertising portals. John Pescatore, a vice president and Gartner Fellow at Gartner Inc., a market research firm, said the controversy was significant, first, because VeriSign introduced the process without a hearing and, second, because the company was profiting from its franchise without adding anything back to the community at large.
The ICANN recommendation has force only for operators of generic top-level domain (gTLD) registries that manage TLDs such as .museum or .biz. When the TLD operator redirects DNS queries, all queries go to the alternate address because the TLD provides the system of record. By contrast, when an ISP that manages a local DNS cache generates an alternative IP address for a DNS query, end users who are unhappy with the practice can find another DNS provider.
The practice of redirecting or synthesizing DNS queries can occur under many circumstances. It's called wildcarding when a user attempts to look up ww.site.com—for which there is no official record—instead of www.site.com. In another case, a user might be redirected if they type in www.bnkofamerica.com instead of the official site.
Pescatore said that services like OpenDNS provide value by directing end users away from sites that are hosting malware or phishing for data. For example, OpenDNS would block access to a look-alike banking site or send the user to the real thing. Pescatore said that another purpose would be in the event of an emergency, when a government could use DNS redirection to notify citizens of a disaster.
But when DNS queries don't break in the beginning and generate error messages, they can create more problems. This is partly because many applications rely on a failure message to know that the site is bad, said Pescatore. For example, a mail server saves valuable bandwidth by marking a message recipient as bad when it can't find the recipient's domain name rather than trying to send the message.
DNS redirection also opens up the possibility for other types of interference. For example, a country like China might redirect a user away from a site with controversial news coverage. Other countries might use DNS redirection to redirect people away from pornography. Pescatore said another example might be if a country wanted consumer to first shop at local merchants rather than international ones.
Because of the potential benefits of DNS redirection, Pescatore recommends an Internet-wide policy for when and how TLD operators and DNS cache managers can redirect messages to alternate IP addresses. He said, "There should be a policy as to when this is acceptable and when and how it should work. For example, there could be a protocol that the screen first gives a 404 message before redirecting the user to an alternate site. There are ways to deal with the problem as long as we have a consistent agreed-upon policy."
But others argue that the best Internet-wide policy should be to prohibit redirection of DNS queries at any level. ICANN is raising the issue now in anticipation a wide variety of more gTLDs opening within the next year. Steve Crocker, chair of ICANN's Security and Stability Advisory Committee said, "We have been hearing of some interest in the prospect of experimentation with this redirection process, and we wanted to speak up firmly and forcefully in advance that this is not something that is proper at all."
This recommendation will likely come out as a contractual mandate for operators of gTLDs, such as .mobi or .biz, but it will be only an advisory to top-level country code TLDs (ccTLD) such as .jp for Japan or .de for Germany. These domains aren't under contract to ICANN, so they aren't subject to the same contractual control. Crocker said, "The force of our recommendation and the board's resolution deals with language that covers both cases. In the case of the contracted TLDs, we expect language that prohibits it. With the others, we expect strong language that frowns on that."
These recommendations don't directly apply to other organizations such as ISPs or providers like OpenDNS that provide DNS services to consumers. Crocker said that ICANN can shine the same light on these and say they are bad practices. However, the important difference is that if TLD operators implement the practice in the registry, end users have no escape, whereas if other operators implement it,’ an end user can choose a different DNS provider.
In the long run, Crocker expects this issue to become mute with the advent of Domain Name System Security Extensions (DNSSEC), which will use public key cryptography to sign all DNS entries. Once DNSSEC technology is in place, it will be hard or impossible for another party to modify the response, because if they do, it would be evident that the response had been tampered with.
Crocker said this will make it harder for organizations like OpenDNS to protect end users from malicious sites. He noted, "The fact that they are redirecting users is not necessarily a bad thing, but it does not need to protect users in the form that it is in."
For example, instead of redirecting the end user, these organizatons could simply block access to the IP addresses of known malicious sites. Crocker explained, "You cannot say it does not exist, because that would require a signed response, but you could simply not permit any response. It would look like the request timed out. I think there are useful creative ways to accomplish the same thing without having to argue about the implementation of this security extension."
