When you type an address into a web browser, many things happen ‘behind the scenes’. Most of the time you get the website you were looking for. But what happens if you make a mistake typing in the address, or the address you are looking for doesn’t exist? Ideally (at least from a technical point of view), you get this:
Sometimes, however, you don’t. Instead, when there is no exact match for the query name and/or the query type, DNS synthesis, or re-direction, may take place. In short, if your request can’t be resolved, your request gets redirected to another webpage by someone in the middle – often your Internet Service Provider (ISP) or the Top Level Domain (TLD). This is a hotly contested issue in some circles, and it’s making a lot of people quite upset.
Some organizations try to legitimize this activity by citing the need to redirect traffic away from websites that exist for the sole purpose of illegal activity, such as child pornography or sites that are known to be pushing out malware. I’m not so sure this argument is accurate. DNS redirection does not remove harmful or illegal content from websites; it just makes it more difficult to access using a particular network. In all likelihood, law enforcement organizations would contact the hosting provider (or authority) for a domain used for illegal activity to have it shut down or redirected. They would not likely resort to asking potentially thousands of ISPs around the world to individually take steps to block or otherwise redirect the ill-intentioned sites.
There are many reasonable and more effective methods for filtering such content, including web browser plug-ins, anti-virus software, child protection software, proxy servers, and firewalls that do not require breaking the fundamental protocols on which the Internet relies. Further, these continue to enable personal choice.
There is another reason, however, that ISPs engage in DNS synthesis: it can be quite profitable. ISPs are increasingly redirecting requests to pages that they have created themselves, and serve to market their products and services. Ads can be sold on these pages, and the ISP can control the traffic that goes to the website.
I take issue with ISPs engaging in this practice for several reasons. The following are just a few examples of the problems that can be encountered with DNS redirection:
- There are many undesirable problems that may result from interfering with the way DNS protocol was intended to work, including difficulty troubleshooting, spam filters not working, embedded tools being confused, and more.
- The user may or may not end up connecting to the page he or she was attempting to visit. As a user, if your intent is to visit www.widgetxyz.ca, should your ISP be able decide what you meant to put into your web browser? As well, this may mean existing domains and their owners may lose out on traffic because of the interference of the ISP.
- ISPs charge you for bandwidth – when you type in an address correctly, you are using bandwidth to go to a page that you intended to go to. If you type it in incorrectly, you should expect to not use bandwidth. However, if an ISP redirects you request to a page of their choosing, you’re using bandwidth to get to a page you didn’t choose to go to.
CIRA was recently given the opportunity to comment on proposed “best practices” for the use of DNS redirection by ISPs by the Internet Engineering Task Force, or IETF. I’ve submitted my comments and will continue to keep an eye on any further developments and future opportunities to comment.
ISPs are not the only ones in on this action however. This is also a concern at the Registry level (the business that CIRA is in). The Security and Stability Advisory Committee (SSAC – including many of the “high priests” of the DNS) of ICANN has reported over the past few years that redirection and synthesizing of DNS responses by TLDs (or “wildcarding”) poses a clear and significant danger to the security and stability of the domain name system. They have advised ICANN to prohibit the use of redirection and synthesized responses by new TLDs, including gTLDs and ccTLDs, stating that:
“The redirection and synthesizing of DNS responses by TLDs poses a clear and significant danger to the security and stability of the domain name system. The consequences of synthesized DNS responses range from erosion of trust relationships to the creation of new opportunities for malicious attacks, without the ability of the affected party(ies) to mitigate these problems.”
In June 2009, the ICANN Board of Directors called on the Country Code Names Supporting Organisation (ccNSO) to provide the TLD community with a report that summarises the issues associated with wildcarding. The ccNSO established an Ad-hoc Wildcard Study Working Group to study the issue and prepare this report.
Incidentally, CIRA is a member of this Working Group, so, we’ll have an opportunity to stay on top of this issue (definitely a topic for a future blog post).
What do you think about ISPs synthesizing DNS responses?