Domain Name (Dis)service

Submitted by Hannes Schmidt on Fri, 09/18/2009 - 09:41.

There are plenty of openly accessible DNS servers available that do name resolution for you. Most Internet providers run them for their customers. There are also DNS providers that encourage you to replace your ISP's name server with theirs. OpenDNS is one example. They even do it without charging you! But remember, hardly anything on the Internet is free. Someone will have to pay the bill. AFAIK, OpenDNS' business model is based on advertising revenue, so the advertiser pays the bill. This is how it works: If you accidentally type a URL with a nonexistent domain name, OpenDNS will resolve it to one of their web servers instead of returning an NXDOMAIN error. The web server will then serve a page with web search results related to the mistyped domain name and some advertisements.

Some people might see this as an additional service but I beg to differ. I'd rather have my browser display a proper error message telling me that the domain name can't be found. What happens if an OpenDNS user mistypes a domain name in their email client's account setup? The error message they get will most likely be "connection refused" not "domain name not found". This is extremely misleading, especially for more advanced users because it will make them think that the server is down instead of hinting at a DNS problem or a typo. Another example: the IP address that OpenDNS resolves nonexistent names to even responds to pings. It can't get anymore confusing than that. Imagine you're an admin in a troubleshooting scenario. You just want to find out if a name resolves and the server is up. Ping is your tool of choice. "Hmm, the server seems to be up and reachable, the problem must be elsewhere" you think. Actually, it isn't. It's down but OpenDNS is just fooling you.

Update: Here's another scenario. A feature of the resolver libraries in most operating systems is to lookup an unqualified or semiqualified names by expanding them using a configurable list of search domains. The resolver library prepends the unqalified name to each search domain in the list to create fully-qualified candidates and performs regular lookups for each candidate in turn. As soon as a candidate resolves, the resolver thinks it's done. Now guess what happens if OpenDNS is one of the configured name servers on your system. The first candidate resolves even though the second candidate is the correct one. The second candidate is never tried by the resolver. Depending on the particular resolver implementation and in which order name servers are configured, this could happend more or less frequently.

Hannes Schmidt's blog | add new comment
( categories: Administrator )