DNS Redirection: Threat or Menace?
An RFC (“request for comment”) recently submitted by Comcast — viewable here — seems to have induced apoplexy among a relatively small number of folks who believe that the Internet’s precious bodily fluids must at all costs conform to their very strict definition of purity. The topic of the RFC: redirection of Internet traffic bound for nonexistent domains (usually due to typing errors on the part of Internet users).
Here’s the skinny. Often, if a user mistypes a domain name within a browser, he or she gets a very unhelpful and cryptic message.This message can sometimes lead users to believe that something is wrong with the computer or Internet connection and prompt a call to tech support. So, many ISPs have set up their systems so that such errors — especially on residential connections — redirect the user to a Web page that tries to help the user find the site that was intended. It may also submit what was typed to a search engine and display the results. The mechanism by which this is accomplished is known as “DNS redirection.”
Here’s how DNS redirection works. Whenever you type a domain name into a browser or other program on your computer, your computer must have it translated into a binary Internet address — an IP address. In most cases, your computer does this by submitting the name to a server called a “recursive domain name resolver” which is operated by your ISP.
But what happens if the domain name can’t be translated — because it was mistyped, no longer exists, etc.? Normally, your computer would receive a terse, unhelpful NXDOMAIN (“domain does not exist”) response, which the program you’re running sees as an error. Most programs, including Web browsers, likewise return a terse and completely unhelpful message to you, leaving you to figure out what went wrong… if you can.
With DNS redirection, however, the ISP’s domain name resolver instead returns the address of a server operated by the ISP — a server which might offer better help with the problem or links to sites which might be the one you actually meant to visit.
Should ISPs do this? Well, as an ISP myself, I can say with authority that 99.99% of all Internet users would not know what DNS (or a recursive DNS server) was if it bit them. They’re impatient and uninterested in becoming Internet gurus. They want things to “just work,” and want immediate help if they don’t. What’s more, they are often extremely confused by the unhelpful error messages which browsers provide when a domain name cannot be resolved.
For this reason, it’s a good thing (in my opinion) that ISPs provide this service, and it’s quite reasonable for them to do so by default (with an option to opt out).
Some people have claimed out that failing to return an NXDOMAIN response when a domain does not resolve properly can cause problems with certain software. However, since DNS redirection is a well known and common practice, any software which cannot handle it is clearly dysfunctional itself, and will experience problems on a growing number of networks — prompting software authors to fix the bug. So, any such problems, if they do occur, won’t be around for long. And allowing customers to opt out should handle any situation where a user must run software that cannot tolerate redirection.
What’s more, DNS redirection can offer some real benefits. It can be used, for example, to block access to sites (or even portions of Web pages) that contain malware, spyware, and “drive-by downloads.” It can be used to block domains publicized in spam, preventing spammers from profiting from spam or from scams (such as the infamous Nigerian advance fee fraud). It can also be used for parental content controls. And the RFC does recommend limits on what ISPs should redirect, and how they should do it.
So, what’s all the fuss about? My take is that most of the folks who are protesting this practice are either people who constantly brand ISPs as evil or “orthodox end-to-endians” — extremists who believe that ISPs should not add value to the connectivity they sell, regardless of how helpful this might be to users. A few of them complain about the fact that some DNS redirection pages are advertiser-sponsored, and accuse ISPs of profiteering from users’ typos. But so long as there’s a clear way to opt out of seeing the pages (and, hence, the ads), what’s the big deal?
Methinks that what we have here is a reasonable practice that a few cranks see as yet another opportunity to attack ISPs. What do you think?
– Addendum posted 2009-07-11 –
Since I wrote the original posting, it occurred to me that one way to satisfy the purists — if they really are purists and not just out to attack ISPs — would be to set up a mechanism that enabled a program to distinguish between a domain which was actually resolved and one that was redirected. For backward compatibility, we wouldn’t want to change the formats of existing responses from recursive domain name resolvers. But we could easily add a new kind of domain name query whose semantics were, “Resolve this domain, but don’t ever redirect me if the domain does not exist.” (Since, according to Comcast’s RFC, redirection is only to be done on A and AAAA records, implementing this would just involve special queries for these two kinds of records.) Would this proposed solution be adequate? Should it be added to Comcast’s RFC? Comments are welcome.
- July 10th
I am just wondering if Comcast has implemented some new fangled redirect system with their new web page that is reeking havoc with our network. We try and navigate the web and type in http addresses or even click on a link on a webpage, if and when we can ever get to a web page (usually after 3 tries) and we get failures. Watching the little grey bar at the bottom, I see stuff like searching for http://www.www.rutgers.edu.org.com. What is that all about? Also, sometimes ….dnserror. Even when trying to go to some site like http://www.yahoo.com. My neighbor said the other tenants in his building have Comcast business and all last week were down and had their computer consultant there for days.
@Scott: I’m interested in this. It might be a malfunctioning Web proxy at Comcast. But I wouldn’t be too quick to point a finger at them, though, because it also might be something on your own computer. For example, it could be a toolbar, a malfunctioning “security” program that’s trying to filter the links on Web pages you view, or spyware that’s modifying links on those pages. One thing I can say with assurance is that the problem is almost certainly not DNS redirection. DNS redirection doesn’t modify links on Web pages.
Could you go to one of the pages with bad links, select “View/Page Source” or “View/Source” in your browser, and e-mail me the resulting file as an attachment? You can e-mail me as brett (insert an “at” sign here) lariat.net.
@Brett — Comcast does not operate web proxies.
@Scott — Sounds like you have more of a connectivity problem. Please contact customer service or email your contact info to we_can_help@cable.comcast.com.
Jason
Jason:
If there are no proxies upstream of him at Comcast, it might be one on his own machine. Many programs insert proxies between the user and the Web — to block malware, for example. It could even be a security program gone wrong.
–Brett