finding authoritative nameservers

Ronald F. Guilmette rfg at tristatelogic.com
Mon May 19 19:14:22 UTC 2008 

In message <4831752B.4080801 at cohtech.com>,
Howard Wilkinson <howard at cohtech.com> wrote:

>I wrote my own code because I needed to then go on to process data 
>loaded from all the candidate servers including all parent servers, 
>hence I wanted a wide and deep trace. The "load balancers" are one of a 
>class of DNS intercepters that we have seen placed in the path to other 
>internet servers by ISPs and corporate infrastructure engineers, These 
>will defeat any approach to try to get "accurate" information as the DNS 
>requests can be intercepted and rewritten by such devices to use locally 
>cached or invented information. Not a common problem but can be 
>extremely confusing/irritating when you hit one you did not expect.

This isn't relevant to my original post... or even, arguably, to this
thread... but since you brought it up...

Like many others, I have been suitably horrified at the way some service
providers are talking liberties with DNS query responses.  I have felt
reassured however by reports that the various Bad Effects caused by such
flagrant tampering with the DNS were limited in scope to just the poor
sods who had themselves elected to make use of whatever nameservers their
respective service providers told them to use, and that thus, I had
nothing to worry about, since I run my own nameservers.

But since we're on the subject, I just thought that I would ask... is
this really true?  Am I really safe from deceptive (and arguably
incorrect) DNS responses if I'm running (and consulting) my own 
nameservers?

The reports I've read so far indicate that the answer is "yes"... at
least for now.  But I have a really Bad Feeling that it may not be very
long before we start seeing greedy service providers implementing
``transparent'' proxying of port 53 UDP/TCP in conjunction with some
scheme similar to what some providers have already implemented, i.e.
a scheme to give back DNS responses of the service provider's choice...
ones that suit the service provider's business objectives (i.e. making
more money by cashing in on more eyeballs & clicks).


Regards,
rfg


P.S.  With 20/20 hindsight, I think that we can all now safely say that
Eugene Kashpureff was an amateur.  These days, it appears that the real
professionals are moving in to take his place.

P.P.S.  To hell with ``net neutrality''.  How about ``net transparency''?
If a service provider decided to implement its own, mostly transparent
proxying of outbound DNS queries from its entire network, then that pro-
vider could pretty easily redirect _any_ effort to communicate with _any_
site identified by a name, rather than a number to any _different_ site of
the provider's choosing... sort of like BIND9 `views', only the provider
could change the view that their customers have of pretty much the entire
Internet at will.

More information about the bind-users mailing list