There is a good article from Paul Vixie about "What DNS is not" at http://queue.acm.org/detail.cfm?id=1647302. An extended version of Paul's article is featured in the December issue of Communications of the ACM. Also we are having an interesting discussion on different technical forums about this and similar issues where some ISPs are not only tampering with DNS traffic but using HTTP proxies to direct you to sites/pages of their choice when the original DNS response to a query returns that a given domain name or host does not exists. Doing that, a non-existent site such as hardcoreporn.icann.org can be redirected to whatever the ISP chooses. This is really a very BAD practice not only for technical reasons but also for the potential liability and damage they can create using a domain name that is not under their control while the real domain administrator has not a bit of clue that this is going on. Somebody also argued that this trick is letting them use domain names that do not exist without registering and paying for them, which also have huge security implications. Let me give you a few examples to illustrate how this works and how far some ISPs are going with this. (DIG is a tool we normally use in a Unix machine to query the Domain Name System). First example, using the name servers of my ISP (Time Warner/Road Runner) I'll look for address information for www.this-name-does-not-exist.com which actually does not exist and should return a NXDOMAIN. A non-tampered response should say: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN Instead the TWC/RR server says: ; <<>> DiG 9.6.1-P1 <<>> www.this-name-does-not-exist.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45528 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.this-name-does-not-exist.com. IN A ;; ANSWER SECTION: www.this-name-does-not-exist.com. 10 IN A 24.28.193.9 ;; Query time: 66 msec ;; SERVER: 24.93.41.127#53(24.93.41.127) ;; WHEN: Thu Nov 26 12:53:47 2009 ;; MSG SIZE rcvd: 98 Giving you the 24.28.193.9 IP address If you try to connect with your browser directly to that address you will get a response saying that the page does not exist (classic HTTP 404 error), but if from your browser you try to go the the URL http://www.this-name-does-not-exist.com, your browser will connect to 24.28.193.9 and request the URL that will land you on a Road/Runner Yahoo search page with a list of sponsored links (people pay for them) and other links that may be related to the URL. OK, the previous example is for a 2nd level domain that does not exist, lets see what happens if we try to go to hardcoreporn.icann.org. ; <<>> DiG 9.6.1-P1 <<>> hardcoreporn.icann.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54420 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;hardcoreporn.icann.org. IN A ;; AUTHORITY SECTION: icann.org. 10800 IN SOA dns1.icann.org. hostmaster.icann.org. 2009112305 10800 3600 1209600 86400 ;; Query time: 64 msec ;; SERVER: 24.93.41.127#53(24.93.41.127) ;; WHEN: Thu Nov 26 13:20:08 2009 ;; MSG SIZE rcvd: 91 The query returns NXDOMAIN from Time Warner's server 24.93.41.127 and shows dns1.icann.org as the authoritative server for icann.org. Nothing wrong here, at least this ISP respects the authoritative answer from the current domain administrator for that name. But lets see how far other ISPs go, in this case Telefonica de Argentina (note: I had to ask a friend who is a customer of Telefonica to do the queries because they filter queries to their name servers if you are not a customer). Lets look again for the address record for hardcoreporn.icann.org using Teleconica's server 200.63.155.204: ; <<>> DiG 9.6.1 <<>> hardcoreporn.icann.org. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46746 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;hardcoreporn.icann.org. IN A ;; ANSWER SECTION: hardcoreporn.icann.org. 10 IN A 208.70.188.15 ;; Query time: 265 msec ;; SERVER: 200.63.155.204#53(200.63.155.204) ;; WHEN: Thu Nov 26 16:45:59 2009 ;; MSG SIZE rcvd: 78 As you can see instead as returning NXDOMAIN like the server from Time Warner in this case Telefonica returns the 208.70.188.15 IP address, which is a similar page with a Yahoo search box, etc. This is extremely bad because Telefonica has not right whatsoever to say what names are existent or not under the ICANN.ORG domain, also while they redirect you to a Yahoo search page they can redirect you to whatever page/site they please even create fake sites that people may assume are valid ICANN sites because are under the ICANN.ORG domain. What can be done then ? (that's part of the discussion going on in NANOG and other technical forums and related also to the memorandum from ICANN). First of all ICANN has no contractual relationship with these ISPs, so there is no contract they can enforce to stop this crap. We can argue that this has to do with "preserving and enhancing the operational stability, reliability, security, and global interoperability of the Internet" as stated on ICANN's bylaws. Get DNSSEC deployed, while is not a bullet-proof solution and has some burden and other side effects (like most US pharma products), we'll have the choice to only accept DNS responses that have a valid signature from the authority for a given domain. Class Action Suit "All Internet Users vs All Bad ISPs", probably not feasible (EFF ?) Disseminate information, create conscience and bad publicity for ISPs doing this ? Bypass the ISP name servers and use servers that don't do this ? doable for a power or savvy user, I'd not know how to tell grandma how to configure her resolver, also some ISPs even filter DNS traffic to other servers so you are forced to use theirs. Regards Jorge PS. Happy Thanksgivings for those who celebrate Turkey Day today.