BIND Strikes Back Against VeriSign's Site Finder

BrunoC writes "Following the story about VeriSign's new Site Finder, the Internet Software Consortium promises to release a patch to its (in)famous BIND that will block the controversial Site Finder. Wired News has full coverage of the ISC initiative against this name resolving atrocity."

Excellent!

[Ratface (21117)]

Tereby helping to prove the old adage that the Internet will just route around regulation! (OK, it's not strictly regulation, but with any luck Verisgn will find that "controlling" the underlying technology of the Internet is not as easy as they first though).

Good for BIND

[Empiric (675968)]

Good... Verisign's actions here are a particularly heinous form of "embrace-and-extend". Here, they're "embracing" an entire technology freely provided to them, and "extending" it in a blatantly proprietary manner, with no significant work at all on their part. Taking the whole DNS stack and turning it into a profit center by redirecting it at your whim across the entire internet, is outrageous.

Re:Good for BIND

[by Anonymous Coward]

At least they could have directed us to some decent pr0n instead.

Re:Good for BIND

[AKnightCowboy (608632)]

Verisign's actions here are a particularly heinous form of "embrace-and-extend". Here, they're "embracing" an entire technology freely provided to them, and "extending" it in a blatantly proprietary manner

I hope BIND makes it configurable enough to kill off the .cc and .ws wildcards as well.

Re:Good for BIND

[aborchers (471342)]

And the BIND solution is an excellent response in the spirit of the network's self-healing nature. I'd rather see it solved this way than through a bunch of law suits that benefit none but the attorneys.

I can't help but think of the contraversy over deep linking and how all those stupid suits could have been avoided if server operators would have just detected the referer header and bounced deep links back to the home page...

Re:Good for BIND

[Joe U (443617)]

Then start running the new BIND and also contact your local Attorney General. I did.

Explain how they are in violation of the Anti-Cybersquatting laws, and have broken their contract with the Department of Commerce regarding the whois database. Mention how it's abuse of a monopoly power.

Make the states get involved, not the private attorneys.

Re:Good for BIND

[aborchers (471342)]

As UU7 just pointed out, the idea is to redirect requests with foreign headers to the front door. The vast majority of modern clients will send the header, and if it is blank, you can either elect to let them have the page, or force them to the front door and set a cookie.

If someone is so gung ho about privacy that they disable the referer header and refuse cookies, then they must accept that sites with policies that require them to come through the front door and accept a token will be unavailable to them. Publishers are under no obligation to provide their material without at least a nominal quid pro quo from the user.

Bug your ISP

[jez_f (605776)]

As soon as a patch comes out, bug your ISP to sort out their DNS servers. Try and nip this thing in the bud
Interesting that BIND only runs 80% of DNS servers, what is the other 20% made up of?

Re:Bug your ISP

[doon (23278)]

We are a bind shop, But I know othesr that run

• TinyDNS [cr.yp.to]
• Power DNS [powerdns.com]
• NSD [nlnetlabs.nl]

Really depends on if you need a Recursive Caching server or just an Authoritive Server.

Here is ISC's web page for delegation Only zones

[doon (23278)]

http://www.isc.org/products/BIND/delegation-only .h tml

Internet standards humor alert

[mwise (16339)]

"VeriSign did not respond requests for comment."

Isn't that what caused the problem in the first place?

Thanks, I'll be here all week!

Re:Internet standards humor alert

[AndroidCat (229562)]

"VeriSign did not respond requests for comment." Strange that requests for comment didn't end up at 64.94.110.11.

Is a Technology solution ALWAYS better than law?

[henley (29988)]

OK, I'm in favour of working-around the problem in classic

The internet interprets {badthing} as damage and routes around it

..fashion, and I'll be installing a patched bind whenever I can.

But I'm really concerned that this effectively lets VeriSign get away with it. They've bust everyone's trust folks, doesn't anyone care? This sort of activity in a social context (umm... let's see if we can construct a tortured metaphor: ...uhhh..: Your friend asks for your cousins's phone number and you instead give them the phone number of your shop. Reasonable?) would result in the perpetrator being ostracised fairly quickly, if not actually slapped about by a clue-by-four. It's flat out antisocial behaviour, never mind any legalities.

Here, since these buggers appear to hold us all over a barrel with the root domains, we can't just ignore them, and invoking legal recourses is at best slow and expensive. But what about appeal to the authorities that granted them those rights?

Um, the more I rant about this the closer I get to thinking a better solution is switching to an alternate root... Best head off to google again then, I know there's a way around this...

TRUST

[Craig Ringer (302899)]

This is especially critical given that Verisign's business is supposedly trust. They sell SSL certificates, and the only way they can claim they're better to use for them than (say) I am, is that they have an established record of security procedures and trust.

Had trust. Who can take them seriously now?

Re:Is a Technology solution ALWAYS better than law

[Neil Watson (60859)]

I think the anology you are looking for is:

You dial a wrong number on your phone and a local telephone carrier answers and begins to try and sell you long distance and local services.

link to patch and example

[jcurious (3000)]

upgrade can be found here:
http://www.isc.org/products/BIND/delegation -only.h tml

There is no need to create a com or net data file. Just the
entries to the named.conf file is enough
zone "com" { type delegation-only; };
zone "net" { type delegation-only; };

Ofcourse, if you use views, this needs to be provided within the relevant
view (the one performing recursive lookups).

quote from:
http://marc.theaimsgroup.com/?l=bind9-users &m=1063 79587928771&w=2

For TinyDNS / dnscache users

[pgregg (185457)]

Russell Nelson has a patch [tinydns.org] for tinydns [tinydns.org] which does the same thing.

He also notes that several other TLD operators for the same thing and has another patch [tinydns.org] that allows you to do the same thing to several naughtly tld operators at once.

The new versions of BIND are already available

[Raphael (18701)]

Although the news are not on the BIND page [isc.org] yet, patches for the current versions 9.2.2 and 9.1.3 are already available. Only 9.2.3rc2 is currently listed on the page (as of this writing).

You can get the details from the bind-announce list archives:

• 9.2.2-P1 [theaimsgroup.com]
• 9.1.3-P1 [theaimsgroup.com]
• 9.2.3rc2 [theaimsgroup.com]

All versions were released a few hours ago. Here is the common paragraph at the top of these three messages:

In response to high demand from our users, ISC is releasing a patch for BIND to support the declaration of "delegation-only" zones in caching/recursive name servers. Briefly, a zone which has been declared "delegation-only" will be effectively limited to containing NS RRs for subdomains, but no actual data outside its apex (for example, its SOA RR and apex NS RRset). This can be used to filter out "wildcard" or "synthesized" data from NAT boxes or from authoritative name servers whose undelegated (in-zone) data is of no interest.

Have fun downloading and installing!

Re:The new versions of BIND are already available

[boojit (256278)]

And here's a helpful posting [theaimsgroup.com] on how to use the new patch.

DaC

MX Problems

[tinla (120858)]

So you have 2 mail servers with mx priorities as follows:

mail.someplace.com 10
mail.otherplace.com 20

if your someplace.com domain expires (hey, it happens) all your mail bounces thanks to verisigns ace "Snubby Mail Rejector Daemon v1.3". The backup mx record, which is there to cover failures like domains expiring, is never tried. In the 'real' world.. where lookups on dead domains fail... the backup server would be used.

Thats a bigger problem than all this spam checking people are getting worked up about. If they both had priority 10 (a simple load balancing arrangement) then half your mail would bounce and half would be ok.

Some improvement! Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.

Re:MX Problems

[MrMickS (568778)]

Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.

80% of the DNS servers are BIND. The more of these that get patched the less of a problem redirected email becomes. The patch to BIND shouldn't be the only action taken but anything that helps is good. A change to BIND helps.

Re:MX Problems

[TheViewFromTheGround (607422)]

Some improvement! Patches to BIND aren't the answer. Verisign need to be made to stop breaking the internet.

There's been this silly thread in this conversation that stakes out two sides. Either a) fix anti-social, monopolistic behavior with technology, or b) fix it with laws and legal action. This is a moronic dichotomy. A technological solution mitigates the immediate problem while the lawyers have time to file their briefs and sort out the damage done. A combination of technical solutions and legal action is a possibility and even a sometimes a Good Thing, not some binary choice.

Who will agree?

[200_success (623160)]

The interesting question is, will enough people pick up the patch, so that Verisign will see their efforts wasted? This will only happen if the distros redistribute the patch.

Will the Linux distros provide updates to BIND that include the patch? (I bet yes.) Will Sun, the dot in .com, update Solaris? (This is harder to guess.) As for Microsoft, I think they will sneak in a patch, to Internet Explorer only, the next time they issue an "urgent" security patch -- though their motive is purely to protect their MSN Search revenue.

DJBDNS already has a patch [djbdns.org] available.

ISPs Will Soon Send You To Their Own Site

[by Anonymous Coward]

ISPs running DNS will certainly disallow this redirection to VeriSuck.

But soon thereafter, if not immediately, they'll start directing their customers to their own search site, or whatever search site they're paid to send them to. Or maybe some ISPs already do this?!

We need an RFC stating that this is not permissable.

Heh, maybe as a byproduct we'll see public DNS servers pop up. "Use us for free, but occasionally we will send you where /we/ want you to go."

It's a trick...

[mseeger (40923)]

Hi,

this is just a trick. They just want to get rid of all those obsolete BIND-versions out in the internet.

So they did this to goat all admins into patching their bind.

Tricky they are...

Regards, Martin

Sign the online petition to get ICANN into action

[by Anonymous Coward]

ICANN might be able to force VeriSign to get this off the net
http://www.petitiononline.com/icanndns/ [petitiononline.com]

Have your say

[turg (19864)]

Is Stratton D. Sclavos doing a good job as CEO of Verisign? Vote yes or no in this Forbes.com poll [forbes.com].

Also, here's a petition [petitiononline.com] that may also be of interest.

use their T&C against them...

[by Anonymous Coward]

as suggested by Abby Patel at http://www.theregister.co.uk/content/6/32872.html

However, it seems that the T&C's might help us to stop this abuse. If you do not agree to the T&C's the only option they have is to not redirect your netblock to their site. So, give them a call on 0800-032-2101, select 2 to speak to their support department and once you get a human, tell them that you don't agree to their T&C's and can they remove your netblocks!

So lets /. them and see how many netblocks they end up excluding.

Google

[Spazmania (174582)]

And not to be outdone by Verisign, Google has added a default route to the global BGP table which brings any formerly unroutable web traffic to their search engine.

NOT!

Not Trustworthy

[Michael_Burton (608237)]

With it's digital certificate business, Verisign started as a company that dealt in trust. That was the heart of their business. Now it's hard to think of a company I trust less than Verisign.

For this stunt, they should lose their authority to register domain names. This company should never be allowed to touch internet infrastructure.

Re:Sqatting

[richie2000 (159732)]

Oh well, it was bound to happen at some point...

The .nu [whatevercrap.nu] domain registry has been doing this for years.

Re:Yeah, only SPAM, sure.

[by Anonymous Coward]

Actually, you do not get anything at the moment. 64.94.110.11 is currently not responding, no doubt under a deluge of requests. While this isn't such a big deal for those who have mistyped a domain name in their browser, it will certainly cause a hell of a problem for mailers around the globe. Remember that Verisign have set up "dummy" mailer deamons on port 25 to ensure mis-directed mail got bounced immediatly, rather than sit in the mail queue? Well now the mailers can't contact that dummy deamon, and the mail is building up in the queues.

I hope some large ISP's bring action against Verisign for breaking their email systems like that.

In the meantime, if you want to help keep Verisigns SiteFinder off the internet, try this simple script in a while loop:

#!/bin/sh
function get_char(){ local GOOD=0;while [ $GOOD == 0 ];do RAND_C="$(dd if=/dev/urandom bs=1 count=1 2>>/dev/null)";if [ $(echo "$RAND_C" | grep [0-9A-Za-z]) ];then GOOD=1;fi;done;};function get_string(){ local INDEX=0;while [ $INDEX != 32 ];do get_char;RAND_STR[$INDEX]=$RAND_C;let INDEX++;done;};get_string;URI=$(echo "${RAND_STR[@]}" | tr -d ' ');wget -O - $URI.com >>/dev/null 2>>/dev/null;exit 1

Re:Yeah, only SPAM, sure.

[AKnightCowboy (608632)]

So BIND blocks this won't Verisign just make another "patch" and fix the glitch?

Not if they make it in a configurable way to let you choose what IP Verisign is redirecting to. Then again, Verisign is a bunch of Dope Smoking Pedophiles [dopesmokin...philes.com], as referenced by this Internet Web site they have registered. Let's not forget they're also a bunch of Clueless DNS whores [cluelessdnswhores.com]. Oh yes, and I heard Verisign supports terrorists at this page: here.. [weloveinte...rorism.com].

Verisign needs to be shut down for these un-American and clearly criminal web sites. Someone notify John Ashcroft, quickly!

Re:Yeah, only SPAM, sure.

[Zocalo (252965)]

Actually, ISC as been smarter than that. What they have done is allow certain domains to be designated "delegation only". That means, in a nutshell, you can specify for instance ".net" and ISC will automatically return NXDOMAIN for anything other than an NS pointer at that level. This in effect will wipe out wildcarding at the TLD/GLD levels for which it is configured, and if you wished you could even extend it to block wildcarding of things like "*.uk.com".

Re:Yeah, only SPAM, sure.

[dm(Hannu) (649585)]

Transposing letters is not (and never has been) the 'Slashdot effect'.

Exactly. The correct term for this is Sldahost efcfet [slashdot.org]

Re:How will this work?

[mccalli (323026)]

I assume the patch will filter requests, which resolve to the site-finder IP...

I'd say that's quite an assumption. Were I coding this patch, for example, the IPs for which to return NXDOMAIN would be specified in a config. That config would be able to take single IPs and also ranges.

...so what's to stop VeriSign simply changing IPs every so often?

I wouldn't write this off as ineffective yet. We need to see what methodolgy is being chosen before we can comment on its technical effectiveness.

Cheers,
Ian

Re:How will this work?

[close_wait (697035)]

I assume the patch will filter requests, which resolve to the site-finder IP, so what's to stop VeriSign simply changing IPs every so often?

No, the patch doesn't do filtering in that sense. It just allows you to mark some zones in your BIND config file (such as .com and .net), that should only contain delegation information. So basically if your BIND server recieves back A record(s) rather than NS delegation records from a server authoritative for .com , BIND simply ignores it.

Simple and elegant, and nothing Verislime can do about it. (I hope.)

Re:How will this work?

[Paul Jakma (2677)]

That approach is fucking dangerous.

Why? Glue records. You are _meant_ to receive certain As from the parent servers of a domain delegated to nameservers which live within its own namespace.

However, you're missing a crucial part: when you ask the delegating server for the NS records, the glue A records are given out in the additional section, not in the answer section.

The ISC patch disregards /authoritative/ non-apex data from zones configured as delegate only. however, it can still make use of additional data (ie glue). Glue records are never queried directly AFAIK when a DNS server is sending queries to determine the set of authoratitive servers for a zone, so the patch does not cause any problems.

Re:very cool.. dnscache?

[Torne (78524)]

Yep, the patch for dnscache by veteran Russ Nelson is here:
tinydns.org/djbdns-1.05-ignoreip.patch [tinydns.org]

Patches

[achurch (201270)]

Patches for DJBDNS and lots of other daemons here [imperialviolet.org].

Re:very cool.. dnscache?

[richard-parker (260076)]

Does anyone know how to do this with DJBDNS?

A list of patches for various name servers can be found here [imperialviolet.org].

Unfortunately the djbdns patch at that URL is not as elegant as the official patch from ISC for BIND. Unlike the ISC BIND patch, the djbdns patch does not support the declaration of "delegation-only" zones. Instead, it adds support for the rather crude technique of converting an A record response containing an operator specified IP address (which you would currently set to 64.94.110.11) into a NXDOMAIN response.

Re:ISC ROCKS

[AKnightCowboy (608632)]

That's fucking awesome! The ISC rocks. Verisign has no right to abuse their position like that. Way to go for people fighting the power!

I said it a long time ago, but there's a very simple way to fix this problem. Alternic was offering a solution 7 or 8 years ago for the Network Solutions monopoly. If BIND decided to distribute a seperate set of root servers in a cache file and enough ISPs used it the Internet DNS system as we know it today could change overnight. ;-) There is NOTHING giving ICANN or Verisign any power except our own complacency to not change a single file in our DNS server. It's laziness.

Re:Soundex into BIND!

[AKnightCowboy (608632)]

The most important one, IMHO, is to compute a list of close matches and present these choices to the user. They may use the Soundex algorithm or some other tricks to see if characters are transposed, if one characters is wrong, if one is missing, etc. If well implemented, this would solve 60% of the problem.

NO NO NO NO NO NO NO! DNS is a directory service for god's sake, not a god damn search engine. If you want a search engine then go to Google like everyone else does. If people are too stupid to assume typing in "www.whitehouse.com" will take them to the White House's homepage then they deserve to get tits in the face. Type in White House in Google, hit feeling lucky and you'll get the right page right off. DNS maps domain names to IP addresses and vice versa, nothing more. Don't pervert it into some god damn spell checking search engine.

Re:didn't they already do that?

[AKnightCowboy (608632)]

I seem to remember certain 'default' browser settings, that would automaticly re-direct unknown queries to a related MSN search page.

Having an application do that is completely different than having what is essentially one of the only Internet "utilities" do it without your consent. Redirecting queries is the job of an application, not the DNS root servers. There's a reason looking up non-registered domains returns an NXDOMAIN, because the RFC says it is should!

Re:Advice on switching to another registrar

[jlusk4 (2831)]

Good point, they *do* already have your money. Stay with Verisign (until your registration expires), but make a lot of support calls. (After all, you've paid for their sterling support.) Especially about this wildcard thing. I'm already forgetting exactly what it is, maybe you are, too. I'm sure they'd be happy to explain it to you, and why it's not bad. And if you forget again after a month or two, they'll be happy to discuss it with you again. And any other questions you might have, like how to set up a mail server alias thingy.

John.

Re:Lot of fuss about nothing

[by Anonymous Coward]

We're not talking about you and your little web browser, we're talking about a major network provider breaking an important network infastructure component in a way which has already started to cause havoc across the internet. At the moment, the server they are using as a catch all is not responding to connections, which means that there "clever" solution to handle mis-directed email doesn't work. As a consequence, mis-directed mail has already started to pill up in mail queues while mail servers waste their time trying to contact the Verisign server.

Other services are also shit out of luck; Verisign only allowed for HTTP and SMTP. Anything else trying to connect to a non-existent domain is out of luck and will sit around until the connection timesout. Of course, if the server had just returned NXDOMAIN in the first place, as it should, you wouldn't have that problem.

Re:Lot of fuss about nothing

[j7953 (457666)]

MSIE has been doing this for ages, and I never found it to be a problem, but rather more helpful than the old "404 Not found" messages we used to see.

You don't get to see a "404 No Found" response if the server doesn't even exist. You'd usually get an error message (generated by IE) that says something like "www.invaliddomain.com doesn't exist." (that's what Mozilla displays, I don't know IE's message).

The 404 response is what you get when your browser could send a HTTP request to the web server, but the server couldn't find the page you were requesting. The response page is generated by the web server, so how helpful it is depends on what the web server admins have configured. Some pages will not simply return an error message but also include a search box, for example.

You type junk into an URL and you expect a civilized answer?

Well, yes, I expect a somewhat helpful error message. But that's not actually the point. The main problem with Verisign's move is that they are assuming (like you seem to do) that the purpose of the Domain Name System is to find the web server that a user is trying to contact when he types an URL into his browser. But DNS isn't used for the web only, it is used to associate names with IP addresses. You can then use the returned IP address for whatever protocol you want, DNS doesn't tell you whether or not the server with the returned IP supports that protocol.

For all protocols that run non-interactively (i.e. without a human sitting in front of the computer and interactively deciding what server should be contacted next, and interpreting the responses), Verisign's action means that if contacting a remote system fails, the computer can now no longer find out if it's due to a misconfiguration and will likely never work (if the other computer doesn't exist), or if it's just a temporary problem (if the other computer does exist but does not respond).

Re:the patch

[Spazmania (174582)]

That's the one.

Clever solution. They rigged it so that you can declare the .com zone as "delegation only." If you do, then your name server will only accept referrals from the .com servers (NS records and any associated glue).

So, if BIND makes a non-recursive query for www.verisign-is-really-bad.com from a server authorative for .com and it gets back an A record for 10.0.0.1 instead of an NS record for ns.verisign-is-really-bad.com, it responds to the host querying it with NXDOMAIN instead of the A record.

Verisign could work around this by replacing the A record with a wildcard NS record pointing to ns.sitefinder.verisign.com or some such, and then having that new name server return an IP address for any query made of it.

The question is: is Verisign willing to escalate the matter or will they back off?

Re:Has anyone..

[Oddly_Drac (625066)]

"I just did. I don't see what the fuss is."

Ah. Bless. Cuddle up nice and warm.

Verisign is the root domain authority. This is them overstepping bounds and trying to get into the search engine game, something which is 'forbidden' by ICANN. They're farming information that comes in, and if you'd read the handy terms and conditions, you'd notice some real oddity.

So, you type in a mispelled URL...what if your competitor is in their database but you aren't? Furthermore, what if they get the domain wrong? Verisign only has .net and .com and there's a world of other TLDs out there.

Then there's the email angle. They're running an MTA that barfs after the 550 for 'From: '. So they're grabbing 'legitimate' email addresses. Trust verisign? As a 'trusted' third party for certificate signing, they're supposed to remain impartial to a certain degree, except they're pushing webservices.

Re:What about the other 20%?

[hkmwbz (531650)]

Read the discussion: 80% runs BIND, what runs on the remaining 20%? [slashdot.org]