In Plain Sight

This post is about my complaints on Twitter last week concerning recent changes to Neustar's DNS Advantage and a query I have as a result from Vincent Lee, a product manager at Neustar.

It comes as a surprise to me that I get more responses micro-blogging from companies than I have ever had by regular blogging. When I recently commented on the Plaxo acquisition a senior marketing executive sent me a tweet to belay my fears, he failed. When I noted concern about the future of Six Apart Anil, their senior marketing exec, was prompted to reassure me. He failed too. Six Apart are so dead IMHO.

This morning I received a note from Vincent Lee, via LinkedIn, asking me about the problems I had with DNS Advantage last week and I sent the response that I have attached at the end here.

We are AT&T customers using a fast Business DSL connection in Sunnyvale. We moved to DNS Advantage because we had experienced severe delays in DNS resolution on our AT&T DSL connection using their DNS and frequently work had been interrupted because the DNS is poisoned by Oversee. As I note in my response, whether this poisoning is the product of a legitimate agreement with AT&T or the result of Oversee hacking is not clear to me.

This mostly effects web browsing, especially introducing delays when you move between domains, but as you will see in my response to Neustar there are other problems that can occur.

What happens exactly? Well, when a domain cannot be resolved the poisoned DNS returns a bogus address effectively redirecting your web navigation to an Oversee page which contains advertising links. This is bad enough, but the real problem is that the poisoning frequently hijacks legitimate domains claiming to be a page generated by that domain.

I suspect this occurs because they circumvent the DNS caching and the primary DNS is temporarily unresponsive so they think, wrongly, that you have entered a false address. I have personally experienced this even in the middle of a site in which the page was working perfectly fine and then miraculously changes to an Oversee spam page that hijacks the domain (it claims to be served from the same address). The way to fix this problem temporarily, BTW, is to clear your local DNS cache and force a new query.

This occasional latency in the DNS network is a problem that you are usually protected from by the DNS caching architecture which is not sensitive to first level latencies.

This has been a problem for long while, I had researched the problem quite extensively - even tracking down the Oversee office in LA from which this all occurs, and I finally saw DNS Advantage as a potential solution.

How can you detect the problem on your own network. Well, simply type into your browser a domain name that is unlikely to exist in the DNS. Try this : http://iam.foobar.com If you get a bogus search page that pretends to be from this domain, then your DNS is poisoned. Just in case they start filtering this domain, try one or two names of your own invention.

I'll leave the rest to my response to Vincent Lee.

===
Hi Vinny,

I will be happy to talk with you. Essentially what happened is two fold.

First, DNS Avantage broke all internal domain resolutions of the form machine.local on Apple networks. We rely on these domains to enable connectivity to our central database. So we noticed the problem because my writing assistant could not start her work of the day. We were compelled to move from DNS Advantage to continue our operations.

Second, we moved to Advantage DNS to avoid the DNS poisoning of Oversee. Whether Oversee do this poisoning legitimately in an agreement with ATT or not is something I am not aware of. This poisoning of the DNS has proven over time to be unreliable and frequently "hijacked" legitimate domains for periods, hindering our work.

DNS Advantage began redirecting unidentified domains to unsolicited advertising in the same way - the very thing we sought to avoid. In my mind this is an unforgivable abuse of the DNS system. The OpenDNS exploitation of its service appears less intrusive. But I am cautious about it also.

With respect,
Steven