dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
617
share rss forum feed


jester121
Premium
join:2003-08-09
Lake Zurich, IL

Typical much ado...

Once again, for all the hullabaloo and bandwagon jumping, no one's given a detailed description of how this really affects them. We have references to "tools and utilities" that this will impact and how it will cause the ruination of everyone's life, but honestly, what are these tools? And how much time each month do you spend using them? Aren't the people complaining the same ones who claim to never use ISP-run DNS servers anyhow, and aren't they smart enough to change to different ones?

I'd really like some examples, I'm not saying such uses don't exist and aren't valid; I just have a hard time believing that this is destroying anyone's ability to enjoy their internet connection.

(And for all who are poised to write something about "pure unfettered internet" or something like that, save it; I've read it all in the Comcast Bittorrent threads.)


jmn1207
Premium
join:2000-07-19
Ashburn, VA
kudos:1
said by jester121:

Once again, for all the hullabaloo and bandwagon jumping, no one's given a detailed description of how this really affects them. We have references to "tools and utilities" that this will impact and how it will cause the ruination of everyone's life, but honestly, what are these tools? And how much time each month do you spend using them? Aren't the people complaining the same ones who claim to never use ISP-run DNS servers anyhow, and aren't they smart enough to change to different ones?

I'd really like some examples, I'm not saying such uses don't exist and aren't valid; I just have a hard time believing that this is destroying anyone's ability to enjoy their internet connection.

(And for all who are poised to write something about "pure unfettered internet" or something like that, save it; I've read it all in the Comcast Bittorrent threads.)
This is a basic, EXPECTED, functionality of the internet. By breaking the standard, it makes things much more difficult to develop and implement.

Do you use email? Email is one area that will be severely impacted if every DNS resolves to some ISP advertising page. No message will bounce back if the wrong address is used. If I have to send an important message out to a new client and the email address is wrong, it would be nice to get a bounce back letting me know the message never arrived so that I could correct the issue. Also, spam filtering tools often rely on checking for legitimate addresses. False positives will be created and a ton of normally filtered email will be flooding our mailboxes. You would be surprised at just how much mail is filtered before it hits the typical mail inbox.

Regardless of whether or not you might be inconvenienced, it simply breaks the internet. That is not a good thing.


jester121
Premium
join:2003-08-09
Lake Zurich, IL
I use e-mail. I also know how it works, which clearly you don't.

My e-mail servers (and yours too, though you don't know it)use MX records to locate destination hosts for sending messages, not the A records that are being massaged by these DNS redirection methods (difference between web browsing and mail). Also, unless the ISP is going to have a wildcard accept for all inbound e-mail to all addresses at all domains, any decent MTA will in fact generate a bounce message -- when it can't deliver a mis-addressed message.

Keep in mind, we're talking about residential service here -- not supposed to run mail servers anyhow, and anyone who did wouldn't get much accomplished from a residential IP block. Also, keep in mind that spam filtering doesn't run on individual user's machines. The ISP isn't going to pass its spam filtering DNS lookups through this system.

Finally, the bottom line -- if you don't like it, use different DNS servers.

Your post supports my assertion that the people complaining about this are just whining because they think something is being taken away from them, even though they don't really understand either side of the issue.


shortckt
Watchen Das Blinken Lights
Premium
join:2000-12-05
Tenant Hell
reply to jester121

You asked for a valid example...

said by jester121:

Once again, for all the hullabaloo and bandwagon jumping, no one's given a detailed description of how this really affects them. We have references to "tools and utilities" that this will impact...

I'd really like some examples...
I've quickly read thru a few of your other posts and I see you understand the basics without my going into agonizing detail.

My ISP tried DNS redirect last year. It affected my ability to troubleshoot some problems simply by breaking things like ping & trace. Pinging a non-existent domain returned an IP on Level3 networks instead of time-outs.

It affected a customer's exchange server company email with Outlook clients. The remote offices are on a VPN-over the-'net connection. Remote clients could not connect to the exchange server because they (in default config) try resolving names by DNS before WINS. This is a windoze thing. Because the ISP did not tell anyone that they monkeyed with the DNS this took a couple hours to resolve. The fix involved changing the DNS server list on the DHCP servers at each office and refreshing the lease on each desktop... but that was after wasting time figuring out why everything was crazy, since the ISP didn't tell the customers.

My original post about this is »Re: DNS Redirection System Turned Off

AFAIR the same problem (DNS before WINS lookup) also affected a couple of database apps that could not find the SQL server.

Nothing extraordinary here, just a business with multiple offices connected together, their apps broken because somebody decided it was ok to break RFC-1035.

said by jester121:

(And for all who are poised to write something about "pure unfettered internet" or something like that, save it...
I'm renting a pipeline, don't want any of their "added frills."


jester121
Premium
join:2003-08-09
Lake Zurich, IL

1 edit
shortckt, thanks for taking the time to spell out some concrete examples. I haven't yet read your other thread but I'll check it out.

I could see some issues arising when trying to troubleshoot your target domain's DNS records, or something like that. I'm a bit confused about how changing DNS broke VPNs, unless there were suddenly a bunch of typos in the configs of the VPN routers or clients. I'll check back once I've read the entire thread.

EDIT - Okay, now I see what you're talking about. If nothing else this certainly pointed out the need for proper internal DNS resources for your client's branch offices, right?


shortckt
Watchen Das Blinken Lights
Premium
join:2000-12-05
Tenant Hell
said by jester121:

I'm a bit confused about how changing DNS broke VPNs...
It didn't affect the VPN between the routers, I just mentioned VPN as the pipe between offices.

said by jester121:

EDIT - Okay, now I see what you're talking about. If nothing else this certainly pointed out the need for proper internal DNS resources for your client's branch offices, right?
They did, I set it up that way. All desktops, network printers etc. had DNS name entries (resource records) on the company's own DNS server. An option can be enabled in the DNS server that if a DNS lookup fails, it will next try to resolve names for a client by querying the integrated WINS database. Since DNS lookups never failed, instead returning valid records pointing to "helpful paid search results" page, the company's DNS server never tried to query the WINS data. The desktop clients could not find their mail or SQL servers.

I know some people would blame it on MS but in light of active directory integrated with DNS, WINS is actually deprecated and used primarily for backward compatibility. So I can understand DNS lookups being first over WINS lookups.

Although the DNS redirects were only meaningfull to a web browser, it broke other apps.

The ISPs which redirect mis-spelled names are also breaking another well established rule: they are making themselves Authoritative for domain names that they do not own by providing DNS answer records for non existent names. As much as I hate it, at least when some pr0n site operators deliberately register mis-spellings of well known names and redirect those to their own sites, they own those mis-spelled domain names. When an ISP takes it upon themselves to be helpful and e.g. redirect guugle.com for their own purpose, the ISP does not own either guugle.com or google.com.

I understand that DNS protocol allows use of wildcards but I don't believe it was intended to be used like this, otherwise why would the protocol have a 'not found' error return code? IMO wildcards were intended to be used as a catch-all for non-specific sub-domains by the owner of the next-level-up domain.
--
Just valves and condensers!

estover4
Premium
join:2004-03-16
Valencia, PA
kudos:1
reply to jester121

Re: Typical much ado...

Copied from my post in another thread.

I have over 35 servers I monitor for availability, this includes DNS settings/monitoring. Now if the DNS server I use will redirect a failed lookup to a functional IP, it will not alert me to a down server.

Site Finder kind of stuff is OK for the average user, but remember the Web is not only used by 400 pound people with fat fingers looking for porn.

If they are going to break something that doesn't need fixing make it opt-in.

But more to the point, why change it?

If you think about it, they now own all the domain names that are not owned by someone else. This amounts to a hijacking of the the unregistered names.

If you are going to make a change to the way the Internet works there are channels that you need to go through.