simply whoever remaps these NXDOMAIN responses gets the impression
revenue. There are unverified claims
that some ISPs are blocking access to
OpenDNS and/or all non-ISP name
servers in order to force their customers to use the ISP’s own name server.
I say unverified, but I find the claims
credible—ISPs have wafer-thin margins and if they see this kind of manna
going out the door, they can’t just let it
happen.
To demonstrate the extreme desire
to capture this revenue, a true story: A
few years ago VeriSign, which operates
the .COM domain under contract to
ICANN (Internet Corporation for Assigned Names and Numbers), added a
wild card to the top of the .COM zone
( *.COM) so that its authoritative name
servers would no longer generate NXDOMAIN responses. Instead they
generated responses containing the
address of SiteFinder’s Web site—an
advertising server. The outcry from the
community (including your humble
narrator) was loud and long, and before
ICANN had a chance to file a lawsuit to
stop this nonsense, many people had
patched their recursive name servers to
remap any response from a .COM name
server that was not a delegation (for example, telling how to find the Google.
com name servers) back into an NXDOMAIN. Some ISPs put logic into their
policy-based routers to turn SiteFinder
responses into pointers to the ISP’s
own advertising server instead.
Damage Control
NXDOMAIN wasn’t designed to be a
revenue hook—many applications depend on accurate error signals from
DNS. For example, consider the “same
origin trust model” used for Web
cookies. If you’re holding a cookie for
Google.com and you can be fooled into
following a link to KJHSDFKJHSKJH-
MJHER.GOOGLE.COM, and the resulting NXDOMAIN response is remapped
into a positive answer to some advertising server, then you’re going to send
your Google.com cookie to that advertising server when you send your HTTP
GET request there. Not such a bad
thing for a Google.com cookie, but a
real problem for a BANKOFAMERICA.
COM cookie. (Thanks to Dan Kaminsky
for telling me about the “same origin
trust model” problem.)
Remapping could also cause email
to be captured if a mail exchanger
(MX) request is captured in this way.
Many NXDOMAIN remappers try to
avoid this by triggering only on A
(address) requests, but to make this
work they have to turn off caching,
since NXDOMAINs are not type specific and since an SMTP initiator will
fall back to type=A if it gets no answer
from type=MX. Similar protections (
designed to keep lawsuits away while still
