Resolving Everything: VeriSign Adds Wildcards

DragonHawk writes "As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003 as I write this), VeriSign added a wildcard A record to the .COM and .NET TLD DNS zones. The IP address returned is 64.94.110.11, which reverses to sitefinder.verisign.com. What that means in plain English is that most mis-typed domain names that would formerly have resulted in a helpful error message now results in a VeriSign advertising opportunity. For example, if my domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by mistake, they would get VeriSign's advertising." Read on below for some more information.

"(VeriSign is a company which purchased Network Solutions, another company which was given the task by the US government of running the .COM and .NET top-level domains (TLDs). VeriSign has been exploiting the Internet's DNS infrastructure ever since.)

This will have the immediate effect of making network trouble-shooting much more difficult. Before, a mis-typed domain name in an email address, web browser, or other network configuration item would result in an obvious error message. You might not have known what to do about it, but at least you knew something was wrong. Now, though, you will have to guess. Every time.

Some have pointed out that this will make an important anti-spam check impossible. A common anti-spam measure is to check and make sure the domain name of the sender really exists. (While this is easy to force, every little bit helps.) Since all .COM and .NET domain names now exist, that anti-spam check is useless.

VeriSign has published white papers about their implementation and also made some recommendations."

joy

[digitalsushi]

this should make troubleshooting dns records as a netadmin much more fun with all those glorious false positives... guess that means i'll have to learn how to spell finally!

How Long...

[jlaxson]

until we get gator-type forced advertising (not just incidental unrelated ads on the page) whenever you make the slightest domain mistake? I get the feeling this doesn't bode well for the continued freedom of the internet, if one company can unilaterally do something of this magnitude. (But then again, Mr. Bush seems to get along fine.)

What?

[Lord_Dweomer]

So let me get this straight.....If I own http://www.hardtospelldomain.com, and someone mispells it, Verisign now has the opportunity to offer up the highest bidders site for redirects? Even potential competitors? Perhaps I'm missing something here, but wouldn't this open them to all kinds of lawsuits from companies that were affected in that way?

Verisign would look nice in gasoline and flame

[netmask]

This is really sad.

Not only will mail have problems, as the "non-existent domain" check will always fail.. but this is completely criminal it seems.

I hate to mention, but they are giving Microsoft a dose of their own medicine.. taking away their ability to bring you to their 'search' page for non-existent domains.. and AOL's own feature similar to that. It hurts google, since Verisign teamed with yahoo on this one for search services (Although, google provides yahoos search functionality for now).

All .com domains are resolving with an authoratitive section of Verisign's server.. and .net's with the list of root servers. It would seem that no domain should ever resolve with either of those as an authority.. The real dns server for the domain should. Hopefully BIND and other DNS packages will start blocking domains that have a root server or a verisign server as the authoratitive dns server.

Further.. they'll be harvesting bounced email addresses for sure. If you get spammed from a bunk domain, and it gets returned.. or you typo and email address.. they are nice enough to run a mail daemon on port 25 to harvest those addresses. It lets you helo, from, rcpt, and data.. and then closes your connection.. just long enough to snag all the info it wants from you.

This entire thing is a mess, and seems like it should be highly illegal. Hopefully OpenSRS and GoDaddy and others will have a fit over it. This just seems completely wrong.

DDOS in the making

[digitalsushi]

think about it.. your dns server caches the entries it gets back, but now we can make scripts that check sequentially all the way up! crash your ISPs name servers, or crash a root server for the prize! remember kids, take down 2/3 + 1 of the root servers and it's not running on spec anymore!

Now let's see

[psyconaut]

Porn companies aren't allowed to run sites with slightly mispelled names because it's considered unfair practice, but a 'registrar' is allowed to catch anything that might come their way?

-psy

Re:Abusing the Power that be

[ScrewMaster]

Verisign has forgotten that they don't own the Internet: they were granted the power to run the root servers and manage primary DNS by the federal government. That government-granted monopoly is revocable. This is a risky maneuver, as it will have global implications. They will probably get their wrists slapped.

Re:network operators are pissed at this

[Wateshay]

I wonder how long it will be before Verisign decides to sue the backbone carriers for some kind of unfair business practice crap.

Re:This is a bitch

[pavon]

I vote that we concider anything from 64.94.110.11 to be spam. That should take care of the problem for spam filters.

Re:Windows already does this...

[leerpm]

Yes, but it is one thing when the application software does it. It is another matter when the network infrastructure provider does it.

Re:Windows already does this...

[diamondc]

But you can change your browser in Windows.

I think Verisign now owes...

[TheSHAD0W]

Verisign now owes money to the Internic for every domain they now effectively hold. Considering how many misspelled domains get hit, I think we're going to have plenty of cash to upgrade the root name infrastructure, don't you?

What about Google?

[MobyDisk]

This is horrible for web spiders and search engines. Every link to a dead domain name will now result in a series of pages that need to be indexed. And there will be thousands (millions?) of web sites that all offer Verisign name registrations -- all identical. This will surely affect their page rankings! Spiders will have to be hard-coded to ignore certain IP addresses or DNS names.

I hope they get sued by every mail filter vendor, registrar, and search engine that they just damaged with this. And the government needs to review the powers they are granting to name-server providers.

Re:network operators are pissed at this

[Alien Being]

That would leave browsers waiting to timeout. ICMP-Rejects wouldn't be much better.

We'll need to hack the resolver libraries and/or DNS servers to translate 64.94.110.11 into "no such domain". Verisign will add some more numbers, and soon we'll have blacklists.

Abuse of monopoly will result in regulation.

[semanticgap]

I find it very hard to believe that they will be able to get away with this without some response from the US (and EU) government(s).

Sorry to say this, but this is going to be a precedent for Internet being regulated, this time for real. And you'll be able to thank Verisign for it. Perhaps that's a provocative step to achieve what they are really after - being regulated, which will guarantee them longevity.

Greedy bastards.

Re:Seeeing the future

[SwellJoe]

How big a problem will this be as most people/companies register common mispellings along with the right domain and make the mispellings point to the right site?

This was likely one of the primary motivations for this maneuver...to encourage formerly unnecessary registrations.

I've never registered mispellings of my companies domains, and the thought never even crossed my mind until now. I'm sure the crooks at Verisign saw this angle, in addition to the tons of free eyeballs.

Nope...

[tugrul]

tugrul@duality:~$ telnet dkfjdfkjdkfjdkjf.com 80
Trying 64.94.110.11...
Connected to sitefinder-idn.verisign.com.
Escape character is '^]'.
^]
telnet> c
Connection closed.
tugrul@duality:~$ telnet it.really.is.a.wildcard.dkfjdfkjdkfjdkjf.com 80
Trying 64.94.110.11...
Connected to sitefinder-idn.verisign.com.
Escape character is '^]'.
^]
telnet> c
Connection closed.
tugrul@duality:~$

This is just evil

File a complaint at ICANN

[Anonymous Coward]

http://reports.internic.net/cgi/registrars/problem -report.cgi [internic.net]

Re:Agreement by typo.

[JayBlalock]

That's not hillarious, that's maddening beyond my ability to properly express. Especially, #10 - Sole Remedy: "YOUR USE OF THE VERISIGN SERVICES IS AT YOUR OWN RISK. IF YOU ARE DISSATISFIED WITH ANY OF THE MATERIALS, RESULTS OR OTHER CONTENTS OF THE VERISIGN SERVICES OR WITH THESE TERMS AND CONDITIONS, OUR PRIVACY STATEMENT, OR OTHER POLICIES, YOUR SOLE REMEDY IS TO DISCONTINUE USE OF THE VERISIGN SERVICES OR OUR SITE." If you don't like what Verisign is doing, get off the Internet. This could well inspire even our current Administration to smack them down. This is the most hubris-laden abuse of a monopoly I've heard of in a long time.

Re:But they do manage those TLD's

[leerpm]

No, they are not within their rights to do this. They were hired to manage the infrastructure, not provide sleazy business services. Think of this analogy. If the phone company were to bombard you with an advertisement everytime you dialed a number that was not in service or a cellphone that was unreachable, do you think the federal and state regulators would stand for that? I do not think so.

Contact ICANN comments@icann.org

[Teflon]

If you want this "feature" of verisign's turned off (I know I sure do), contact ICANN now. This is yet another example of Verisign having far too much unchecked power over the .COM and .NET registries.

Re:Complain to ICANN *NOW*

[tuba_dude]

If ICANN was still there for the good of the internet, yeah, that should work. Otherwise, you should only bother complaining if you're a CEO.

Re:I can't confirm this is true....

[Anonymous Coward]

Don't forget they also have a near-monopoly on trusted SSL certs. They own Thawte, don't they?

Verisign is evil.

WHY?!?!

[tugrul]

We do blacklists for spam because it originates from multiple moving targets.

Verisign is neither multiple nor moving. Instead of sullying our libraries with this stupidity, put your effort [icann.org] into beating Verisign into submission to common decency.

Misplaced root of trust?

[LostCluster]

Is it just me, or is Verisign now absuing the trust of the Internet community, which is a very strange thing for a company that wants to be a root of trust when it comes to issuing SSL certs?

Re:What about Google?

[Asgard]

Fortunately there is a robots.txt hosted on that server:

User-agent: *
Disallow: /

Re:Strike Back with Poor Typing

[Jeffrey Baker]

Why the fuck would anyone run a "mail rejector daemon"? Seems like not answering to port 25 would fulfill all your mail rejection needs.

There is no Internet

[DragonHawk]

(Pre-emptive strike: Insert Matrix-spoon reference here.)

I feel it is worthwhile to post a more general response to this point as well.

There is this myth that "the Internet" exists as a single, cohesive network. It does not, and never has. "The Internet" is a network of networks. What that means is that a bunch of independent network operators have agreed to exchange traffic with each other because it benefits them. When you dial in to your ISP of choice (or plug in your Ethernet cable or whatever), you're not connecting to the Internet. You're connecting to your ISP. Your ISP probably connects to their ISP. Their ISP (if you're lucky) connects to several other ISPs, who connect to other ISPs, and so on. All these independent network operators form "the Internet". So, "the Internet" exists as an abstract concept (and a useful one), but not as something you can touch. Not even as something you can route traffic through. All you can do is connect to some other guy's network and hope for the best.

The reason this is important is because we are already seeing ISPs implementing countermeasures against this VeriSign move. Some are null-routing that IP address at layer two; others are using DNS tricks to give us the old behavior. If enough ISPs do this, VeriSign's move will be largely ineffective. In effect, ISPs as a community can veto VeriSign or anyone else. It only works if most of them agree and take action, of course, and it remains to be seen if they will do that. And, of course, some of these countermeasures may themselves be easily defeated, leading to an arms race (like the spammer vs anti-spam arms race).

The possible consequences of all this are, shall we say, interesting.

(BTW, I don't disagree with the OP's suggested course of action, nor with the principle behind it. I'm just pointing out that things are, as usual, more complicated then they might appear.)

Re:What?

[Drakonian]

How is this significantly different than the case before? Your competitors were free to buy your domain names misspellings, they just didn't have a handy link to do it right away.

Re:What about Google?

[Asgard]

It would seem fairly straightforward for Google to change their code to skip that host entirely.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Not much of a workaround

[KeithH]

This isn't much of a workaround since the mistyped DNS name will still resolve. Instead of a no-such-domain response from the resolver, you'll instead get a no-response at the application level. This suggests that the server (website or mailserver for example) exists but is down.

In the case of SMTP traffic, the sender will waste time and bandwidth retrying.

Note also that Mockapetris explicitly intended for wildcarding to be supported in RFC1034 - unfortunately, I don't think he foresaw the crass exploitation of the internet by ICANN 16 years ago.

Re:Misplaced root of trust?

[graxrmelg]

When was the last time VeriSign had the trust of the Internet community? That was gone long ago, especially after they started sending fake domain renewal notices to people whose domains weren't registered with them. If they have a monopoly on issuing SSL certificates, why would they need to care about their reputation?

Re:wonder of wonders

[gantzm]

It's not the page content to be concerned about. If google is constantly hitting pages with tens of thousands of these links the DNS servers are going to start having serious cache problems. I'm sure google runs their own dns servers (at least caching servers), this technique would play havoc with that.

I don't see anyway a search engine could prevent this. It has no prior knowledge of the domain in the link until it tries to resolve it.

Re:wonder of wonders

[CaptainSuperBoy]

Do you know how a DNS wildcard works? Apparently not. There is a SINGLE record that resolves all nonexistent .com and .net addresses to Verisign's sitefinder. Although I'm sure Google's massive server farm can handle storing 10,000 addresses it won't even have to. As soon as it sees the domain resolves to the same address it can move on.

Re:Contact ICANN comments@icann.org

[innocent_white_lamb]

What is this, better living through DDoS?

No, this is receiving feedback from the affected administrators, engineers and other interested persons; said feedback hopefully leading ICANN to do the give Verisign a short, sharp lesson in "WHOA!".

You know, the job that they are supposed to be doing and all that kind of thing.

Re:Strike Back with Poor Typing

[mino]

VeriSign is doing the correct thing with regards to SMTP.

Indeed. But not as right a thing, surely, as not returning IPs for these non-existent domains anyway.

If nothing else, they're sucking bandwidth. It's not much, surely, but -- OK. We send out an email newsletter at work (legitimate, opt-in, unsubscribable -- calm down) which goes to 200,000+ people. Say 5,000 people have their domain wrong -- htomail.com or something (no idea if that's accurate, but it's probably not massively far off).

As it was, our mail server would do 5000 dns lookups, get 5000 NXDOMAINs, and ignore them. Instead, it does 5000 lookups, gets this address, connects to the mail server, sends a HELO, gets a response, sends a MAIL FROM, gets a response, sents a RCPT TO, gets a 550. That's an extra... what... couple of hundred bytes of network traffic? Say in the order of 1-2 MB for the lot. Down here in expensive-bandwidth-land, that's about 30 cents Australian it costs us. Not much, I know, but even so, it's there. Not to mention the additional load on our servers for trying to send, making port-25 connections, etc, compared to just giving up.

It's not much, but it IS costing us some small amount of bandwidth and some server time. Screw them.

This is the most #@^%ed-up #@#$ of @#*&ing !@%^ that I've ever #$@@ed in my %$#*.

I'm voting with my feet. Bye bye Verisign.

[nuckfuts]

By coincidence I received a (legitimate) domain renewal notice from Verisign today. Instead of renewing with Verisign I am transferring my domain to a new registrar. Verisign-ing off.

Re:wonder of wonders

[User8201]

Also, MS has been doing this in Internet Explorer for some time, so a mistyped URL goes to an "MSN Search" branded page. So, MS will probably try to solve this problem, so they get their brand name awareness campaign back!

(Actually MSN Sucks and no one uses it despite that).

It's interesting, that the VeriSign page has a Terms of Use. I don't think they legally can require me to abide by SHIT if I got their because of a wildcard, e.g. they trapped me into getting there, not because I intended to go there. And a privacy policy? I didn't _intend_ to access their server, so I don't think I have to grant them rights to do whatever the hell they want with my info or whatever, if I don't want to.

Someone should sue them, or something.

Re:PLEASE DO NOT CLICK ON ANY SEARCH ENGINE RESULT

[okigan]

Actually I think you are totally right.

The whole thing was done exactly with this
purpose, but I think it can be used to break the
system. If enough bots (and bots only)
constantly "click" on the ads, their price will
plummet. Since now they cannot tell if a person
saw the ad, they "pay per click" becomes
pointless. (and boy they will be mad when find
out they paid all that money for nothing)

On the other other hand if every slashdoter
would ping the thing it would be way more fun.
Come one everybody just type : ping 64.94.110.11
(at -t if you are in windows)

Re:Boycott Thawte (Verisign's SSL subsidiary)

[mino]

Email your Thawte rep to explain why you or, better yet, your huge organization :) won't be renewing your certificates with Thawte.

Superb idea, ajks. Have a cookie (or a certificate).

Here's a form-letter version of the email I'm about to shoot off to our rep, the delightful(!) Barbara:

Dear [Thawte Rep Name],

I am an employee (and listed CSO) of [company name], which purchases 128-bit SSL certificates from Thawte. We purchase approximately [x] certificates a year, which works out to approximately $US[y] per year.

As you might be aware, Verisign, parent company of Thawte, has recently introduced a deceptive and misleading practise with regards to DNS resolution of non-existent domains. Any attempt to locate the IP address of a domain which is not registered (www.non-existent-domain.com) will, rather than returning an error message, return the address of a Verisign advertising server.

This practice is not only ethically dubious, it is also something which promises to cause untold headaches for network administrators all over the world, as well as confusion for end-users of the Internet, all purely for the financial benefit of Verisign.

I am not writing this letter to you in an official capacity as representative of my company: however, I wish to advise you that come certificate renewal time, I will be strongly recommending to my company that we change to an alternate SSL certificate provider, rather than Thawte, if this practice of Verisign's is still in place.

As the listed CSO of this company, I strongly expect that my stance will result in the direct and immediate loss of this $US[y] worth of annual business to Thawte.

This is an selfish and narrow-minded move on the part of Verisign, and I have no hesitation in recommending that my company withdraw its business from Thawte.

Kind Regards,

[Your Name],
[Your location]

We're a small company: but even in our case, [x] and [y] are are 10 and 3000 respectively. It won't take that many to make a sizeable hole in Thawte's pockets.

my complaint, as submitted to ICANN

[Anonymous Coward]

Verisign's current practices imply that Verisign owns veritable rights to all domain names, EXCEPT those which have been registered by others.

Clearly this is not ethical: all others need to pay a yearly fee for registration, while Verisign does not. This must be corrected.

Specifically, Verisign is using all un-registered domain names as aliases (redirects) to their own business sites. This can realistically be a significant step towards ending the internet as we know it - every single internet user puts an immense amount of trust into "the system" every day she or he uses a web browser to surf the web. Verisign threatens to end our trust in the system, with serious consequences for us all.

Re:Contact ICANN comments@icann.org

[tulare]

Sorry, but bullshit.

ICANN is responsible for, among other things, ensuring that it's registrars perform their duties properly. If an issue such as this one crops up, and the /. community (trolls and non-trolls alike) decide to make their complaints known using the established protocol that ICANN itself has provided for such matters, so be it. Yes, this will generate an enormous volume of sometimes absurd attempts at flaming, and yes, someone at ICANN has probably filtered all that traffic - although I suspect not to a circular file as you seem to suggest, but to a count-aggregation file to provide a record of public comment.

Face it - sometimes, being responsible for a little thing like the internet can be a bitch. Most of us do have to deal with inane crap as a part of our daily grind, although I admit that getting 20,000 emails suggesting I view a goatsex link in a single day would probably be unusual for me at least. But at least ICANN has said outright that they aren't going to read all of them :) But that's their job, and the closetfull of people who work for ICANN get paid to do it, knowing fulll well that things like this will happen. Big deal. Such is life, such is work. Or do you have a job where your responsibility is guaranteed to be 100% hassle-free? If so, I applaud and doubt you.

Re:Who is going to be the first to hack it?

[Anonymous Coward]

I'm not sure what the mystery is here.. they explain in their implementation whitepaper [verisign.com] how sitefinder responds to the various network protocols as well as the filtering on certain ports. It wouldn't be surprising if later they added other services as "useful" responses are discovered.

Re:wonder of wonders

[javilon]

"Sure you do, if you have a REAL router (or a DSL router even) you should be able to null-route that IP. Or actually, you might even be able to convince your ISP to do it with a short, friendly letter to the admin."

Indeed. And, if the Mozilla and Konqueror people had balls, they could set up a default option on their browsers so this page is blocked. You could uncheck it, but it should be on by default.

This would be a cool way to protest!

Re:What about Google?

[Anonymous Coward]

Most webspiders should index on IP anyways.

What gave you that silly idea? Virtual servers will all have the same IP address. Hundreds of domain names could use the same IP on a single server and all have unique content that needs to be indexed or cached.

DDoS/attack/"testing"?

[Fastolfe]

So if a script kiddie out there is trying to test his hostname parsing code in his latest DDoS tools, and tries to use a hostname that he knows doesn't exist, would he be liable for the damage his scriptz cause when that hostname actually does resolve to a Verisign IP address?

It really sounds like Verisign wants traffic destined for every mistyped or invalid hostname. I say let them have it. Surely they're aware that the Internet is not just the web.

Re:Despicable.. But they're not the first...

[gerardrj]

This is of course completely different than the MSIS issue.
The MS only affected MSIE users for web browsing. The Verison issue affects ALL Internet clients, not just web browsers.
It's actually worse for other clients than web and email as Verizon's machine does not return an error for any other protocol, it just says "connection refused".

DNS wasn't designed to do what Verizon wants it to do, and there's no way to only offer the fake address for queries for web sites.