RSSVeriSign Redirects Unused Domains
By Nate Mook | Published September 16, 2003, 1:48 AM
UPDATED In a surprise move that has left network administrators fuming, VeriSign has added a wildcard DNS record to all .com and .net domains - redirecting all nonexistent Web addresses, as well as those without valid DNS entries, to a VeriSign search page.
The change, which VeriSign calls its "Site Finder" service, could also adversely affect e-mail spam filtering that relies on discarding messages from invalid hosts.
VeriSign recently acknowledged it was testing such a system internally, but made no announcements regarding its implementation plans. However, the company flicked the switch without warning on Monday, later posting a notice to the NANOG mailing list.
"Today VeriSign is adding a wildcard A record to the .com and .net zones," the message read. "The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now."
Although VeriSign's Network Solutions arm no longer solely handles domain registrations, the company still controls all DNS records -- contained in "zone" files -- for .com and .net domains. Over eight billion DNS lookups go through VeriSign each day, 900 million of which are for nonexistent domains.
A document issued by VeriSign says Site Finder "improves the Web browsing experience when the user has submitted a query for a nonexistent second-level domain in the .com and .net top-level domains."
Instead of a user receiving a confusing error message for an invalid URL, Site Finder returns a Web page containing links to possible destinations and an Internet search, according to VeriSign.
Site Finder will also appear on registered domains that have no active DNS records.
But network administrators are not happy with Site Finder due to technical and moral concerns, and have already devised methods of bypassing the service. According to reports, some ISPs have blocked access to Site Finder's IP address.
VeriSign's move has raised the ire of security experts such as Steven Bellovin, Research Fellow at AT&T Labs.
"It's bad enough now; it could be even worse. They could respond on port 443, too, with a legitimate-seeming certificate -- they're VeriSign, the leading certificate authority," said Bellovin in a message to NANOG. "In the security world, we call this a man- (or monkey-)in-the-middle attack, for which the standard defense is crypto. But that doesn't work well when your trusted third party is part of the threat model."
Privacy issues are also of concern to many. VeriSign says it "actively monitors all traffic associated with Site Finder, including DNS queries matching the wildcard entries in .com and .net and associated responses, and all traffic sent to the response server."
Network administrators are not the only ones Site Finder is likely to upset. Microsoft and AOL have long relied on sending customers who mistype domains to a sponsored search page as means for millions of dollars in additional revenue. Now, all such traffic will first be intercepted by VeriSign.
Microsoft, however, downplayed the potential affect Site Finder will have on its MSN business.
"VeriSign's decision to redirect traffic from misspelled queries does not significantly impact MSN Search because the amount of traffic driven to our site through mistyped Internet queries is minimal," an MSN spokesperson told BetaNews. "Our focus remains on generating traffic from satisfied and repeat consumers rather than counting on mistyped query traffic."
VeriSign has partnered with Overture to handle Site Finder search results, although the company has not said how much it expects to make from the deal. Without providing specific numbers, Microsoft says error traffic accounted for only a small segment of MSN revenue.
"VeriSign's decision has minimal impact on MSN revenue, because the bulk of our revenue does not come from redirected search queries," the spokesperson said.
You mean right now if I type a non-existant .net address it should go to site-finder? I've tried it, and it doesn't happen. Or is it just going to be implemented soon?
Score: 0
|Yes, however it seems that some ISPs are filtering access to their Site Finder service.
Score: 0
|Or, they applied the BIND patch.
Score: 0
|Well I've registered my hate of the new system, hopefully others will follow suit ...
Score: 0
|You can let the Registrar know how you feel by e-mailing them: info@verisin-grs.com
Score: 0
|Reset your Web Settings under Tools -> Internet Options -> Programs -> Reset Web Settings.
I'm not sure how long the reset will last, as no one accepted this change, but it does send you back to the MSN not found pages.
Score: 0
|Nevermind.. It worked earlier, but doesn't work anymore....
Good luck! I hope VeriSign gets the pants sued off of them for this..
Score: 0
|Apparently the folks at the ISC got a lot of complaints from their users and are implementing a fix for BIND. Those servers using BIND might be able to get around this.
http://www.wired.com/new...gy/0,1282,60473,00.html
Score: 0
|sure fix it this way.. redirect all spam emails to their web email address. if they want things directed their way, help them along....
Score: 0
|They are getting the pants sued off by of all people Netster.com, they claim antitrust.
http://www.pcpro.co.uk/n...news_story.php?id=47813
Score: 0
|There is another privacy issue here. Mail messages to miss typed address are now being delivered to and rejected by sitefinder.verisign.com that is not to say that they are not collecting valid email addresses, reading these email messages, saving these email messages, or will not do so in the future
Score: 0
|Sorry I think you've got the way email servers handle mail confused with the way DNS servers handle DNS requests.
When you send mail, the SMTP Server you are sending from typically contacts a DNS Server to try and find the destination. Previously it will have received an error message and bounced the mail right back. Now it *may* find a Mailserver (in this case verisigns) at the other end. But before it goes ahead and passes the mail on, it asks the responding mailserver if the address you are trying to send to is among the known adresses it administers. If it gets a yes back it sends the actual mail, if it receives a no, it bounces your mail back quoting "user not found". This is as much in your interest (privacy) as it is in Verisigns, the flood of mail it would receive with misspellt addresses would surely overwhelm their mailserver.
Still bad, bad news for privacy, reading their Privacy Policy is enough to send shivers down my spine:
"We use third-party companies to serve paid and unpaid search results and other content to our Site Finder. In the course of serving these results, these companies may place or recognize a cookie on your browser, and may use information (not including your name, address, e-mail address, or telephone number) about your visits to this and other web sites in order to serve content to our site..."
And don't even think about USING sitefinder or you will (at least Verisign will have you believe so) enter into a binding legal agreement with Verisign.
Anyway, for those who are concerned there is an elegant yet simple solution: Use a DIFFERENT DNS Service such as Opennic (http://www.opennic.unrated.net). Either ask your ISP to switch their DNS querying mechanism to Opennic or if they refuse, just do it yourself. Instructions how can be found at the Site.
Score: 0
|"But before it goes ahead and passes the mail on, it asks the responding mailserver if the address you are trying to send to is among the known adresses it administers."
As of now, they *are* rejecting mail before the message bodies are sent. But who's to say that won't change in the future? It would take only a minor tweak to their mail server to move the 550 rejection code after the message body is received instead of before.
nutation's point is quite valid.
Score: 0
|I did some few test and found that when asked for a MX record, the DNS system return no MX record at all, only a SOA record.
What this means is that when your SMTP tries to locate the recipient server, it can't find anything and doesn't even try to connect somewhere.
So VeriSign can't have a SMTP server collecting sender address. For now... But it would be easy for them to wait a bit until the people get used to this s***, then quietly add a MX record and some SMTP server recording each and every sender address.
Now that would be fun.
Score: 0
|"What this means is that when your SMTP tries to locate the recipient server, it can't find anything and doesn't even try to connect somewhere."
This is wrong. An MTA will proceed to looking for an A record when it doesn't find an MX record. And Verisign *is* returning A records.
Try sending mail to a non-existent domain right now and you will get a response back from Verisign's server.
Score: 0
|Yep, you're right. My bad, I should have checked the RFC twice (http://www.faqs.org/rfcs/rfc2821.html, section 5).
So basically they CAN (ARE?) record sender addresses. The recipient one isn't interesting because it's basically wrong, and I doubt the content could be easily processed. Maybe they could monitor specific sender addresses for "interesting" content.
Score: 0
|Well, this is very interesting indeed.
Does this mean that Verisign claims, legally, to 'own' the rights to all unregistered .com/.net namespace?
For example, let's say I have a company called "wudwiuw" and I chose not to register the .com name (maybe I decided to go with ("wudwiuw.shop"), but later I discover that Versign has been redirecting requests to "wudwiuw.com" to a competitor's site.
Wouldn't this fall under the same legal ballpark as using your competitor's registered trademarks in your metatags -- i.e. it opens you to legal action by your competitor?
I hear the sound of lawyers spawning....
Score: 0
|I chaned the hosts file to reflect '216.239.37.99 sitefinder.verisign.com', the IP is google.com. When I typed in a bogus domain, I received a message back from google saying 'Google Error Not Found
The requested URL /lpc?url=wrwqfrwef.com&host=wrwqfrwef.com was not found on this server.'
Maybe that will work as a quick fix... for now.
Score: 0
|