[dns-operations] A DNS and network security forced marriage

Andrew Sullivan ajs at shinkuro.com
Fri Mar 12 19:43:13 UTC 2010

On Fri, Mar 12, 2010 at 10:16:30AM -0800, Joe St Sauver wrote:

> I should also mention that that there are already a number of ISPs 
> that have implemented this strategy, this is not something novel that
> I've just personally come up with -- ISPs do it because it works,
> is cheap to implement, and can easily accomodate users who want to 
> opt out. 

If it were true that ISPs easily accommodate users who want to opt
out, then I'd be delighted.  But in fact what happens is that you have
to do extra work on the client side every time you reconnect to the
network, because the DHCP servers handed out with your IP address are
the ISP's DNS-mangling ones.

Moreover, the mangling (in my experience) causes all manner of
surprising failure modes.  For example, I briefly needed to use Rogers
here in southern Ontario, Canada, last year as my ISP.  From time to
time, the lousy little temporary gateway I had set up would go
berserk, forget about the DNS server I'd configured for it, and
connect again using the Rogers DNS interceptor/mangler.  One of the
sites that Rogers considered dangerous was tools.ietf.org.  (I had a
lot of failures from them, but this one in particular drove me batty.)

Finally, it's worth noting that the interception strategy simply won't
work at all with DNSSEC, so all the interceptions will read as DNSSEC
validation failures rather than as legitimate interceptions. 


Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.

More information about the dns-operations mailing list