Home » blogs » dsiegel's blog

Global Crossing puts dns redirection in the lab

dsiegel's picture

What would you do if you were approached by someone saying that they wanted to enter into a partnership with you that would require little or no money out of your own pocket and would pay you on a monthly basis. If it were an email, you'd dismiss it as just another SPAM, or if it was a phone call you'd dispatch it as you would any tele-marketer.

When paxfire approached us last summer offering exactly that, we didn't kick them out. I'm not saying that you jump on every peice of investment advice that ends up in your junk folder, but haven't you ever been curious enough to look up the ticker symbol to see if the spam campaign has had an impact on the stock price?

We had to hear what they proposed , because the prospect of receiving additional revenue with no COGS means that, if true, our gross margin and margin percentage see direct improvement. Or as the MacKenzie brother's might say, "free beer, eh?"

The arrangement is pretty straight forward. You drop a vendor-supplied appliance in front of your DNS server and it will capture a failed DNS requests, and answer the request with the IP of a search engine page with advertisements on it. Whatever money the company makes off advertising is split 50/50 with the ISP.

Right around the time we started talking to paxfire, net neutrality was one of the hottest topics of debate in the blogosphere. Was this technology a net neutrality issue?

While it is true that this technology could be used to do sneaky things with people's DNS requests, lots of things could be leveraged to do sneaky things with people's packets, and we have no more motivation to make our customers Internet perform slow by tipping the QoS scales in someone elses favor than we would to divert reasonable DNS requests in a manner that paying customers would disapprove of. Having the means to do something doesn't mean you will. Just because you own an ax doesn't mean you'll chop the heads off chickens...maybe you just want to split some wood. Case in point, there is one installation of this technology that uses a subscription-based list of known phishing sites and redirects the person to a portal that explains phishing and then allows them to continue to the originally requested site if they wish.

Right around the time we were debating this internally, the Earthlink news hit the streets. After Earthlink deployed a similar solution from a company called Barefruit, they posted a blog Handling Dead Domains for which they got flamed by their customers (and non-customers) for

a) not telling customers ahead of time,
b) not providing an opt-out capability and
c) in general, breaking the basic functionality of DNS.

The move drew fire from the blogosphere as well, with negative comments by Om Malik, the Tao of Mac, and slashdot.

We are hoping that we've learned from Earthlink's experience. The purpose of this blog is to let customers know with plenty of advanced notice that we're lab testing a similar (but better) solution. If we successfully get through lab tests we will post another blog entry to let people know when it will go live and how they can opt out.

The last issue can be addressed through one of the advanced configuration options available from paxfire (although the difference in ad revenues could be significant). The paxfire solution can be set up so that it only grabs what is referred to as keyword traffic. A keyword is when you just type your search term into the address bar. If you are running a browser that supports an autosearch and you have not configured your browser to use a particular search engine, it will grab those search keywords and re-direct them to a search engine.. Since it's a real DNS name that is hardcoded into your browser application and not a random DNS request that is going to fail, all other applications on your computer continue to work normally, receiving a unknown hostname error if you use the wrong domain. We're currently thinking that we might use this setup on the opt-out servers since it's pretty innocuous, and will experiment with a less-conservative setting in a field trial setting to compare the difference.

Lab testing has gone well so far, and everything is working as advertised, and we'll be announcing a field trial soon. If you're a Global Crossing customer and you have comments or concerns, contact your account manager or drop a comment here.

Trackback URL for this post:

http://blogs.globalcrossing.com/trackback/286
dsiegel – Fri, 2007 – 01 – 26 21:48
Internetnet neutrality
dsiegel's blog

DNSSEC

After you pick up a revenue stream from DNS redirection (assuming you do), will you abandon that revenue stream to deploy DNSSEC? Or will you sacrifice your customers' security?

Ned Ulbricht (not verified) – Thu, 2007 – 11 – 15 10:17
reply

the negatives

lippard's picture

The Mark McLaughlin article Paul referred to may be found here.

Dave, I think you fairly summarized the reasons that Earthlink drew criticism, and the blog entry is a start at attempting to prevent (a) and (b)--it's not enough to just provide an opt-out mechanism, but at least to give advance notice on how to avoid being opted in. Provided that we make our customers aware in advance what is going to happen on which DNS servers, and which ones to use to opt-out, I hope we can avoid those issues. The caveat to that is that if we have customers who are using our DNS and also providing DNS to their downstreams (and hopefully there are few, if any, such cases--I would expect an ISP to have its own recursive DNS servers), we don't have a direct relationship or an easy way of giving them advance notice except by giving direct customers enough time to do so themselves.

When it comes to (c), I share Paul's concerns. It's the unintended consequences on applications other than web browsing that are most likely to be detrimental (as opposed to merely annoying).

I would also add a (d)--that this is simply not an expected nor desired feature of service from one's network provider, unless it provides some actual benefit to the end user (as in the case of the phishing prevention you mentioned, or similarly to prevent connections to botnet controllers or aid with malware removal).

lippard – Sat, 2007 – 01 – 27 14:01
reply

it's not rubes and it's _not_ just browsers...

Back in 2003 when Verisign stunk up the web with controversy over sitefinder, Mark McLaughlin posted a fairly well linked article to news.com calling the technical communities ( root-delegation-only) and ICANN ( a slap down ) response to the changes a stiffling of innovation on the Internet. One thing Mark missed, and I hope GC keeps in the very forefront of their decision making is that the Internet is also no longer just a place for people with web browsers. Mucking with the lowest level plumbing makes things like semantic web, xml exchanges, (think schema validation), voip,  p2p, and email (spam filtering) more difficult to develop and implement. These are very real innovations with very real economic and cultural impacts.

If the intent is to improve the customer brower experience then let the improvements be done in the browser where they have no impact on other services.

Paul Erkkila (not verified) – Sat, 2007 – 01 – 27 10:20
reply

Post new comment

*
*


*

  • Easily link to terms in various wikis or other websites by typing [[prefix:term]]. Use the "|" character to create a "piped link," e.g., "[[w:public transport|public transportation]]" displays as "public transportation." For a full list of available prefixes and the websites to which they point, see interwiki.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <pre> <br> <p> <em> <img> <blockquote> <table> <tr> <td>
  • Lines and paragraphs break automatically.
More information about formatting options
Verify comment authorship
Captcha Image: you will need to recognize the text in it.
*
Please type in the letters/numbers that are shown in the image above.