Unregistered local domain yet internet access?
Ed Gerck
egerck at nma.com
Thu Jun 24 06:33:15 UTC 1999
Michael Voight wrote:
> Ed Gerck wrote:
> >
> > Michael Voight wrote:
> >
> > > Many ISP's require forwarding to their DNS server and will NOT allow
> > > direct access to root because it increases traffic.
> >
> > Michael:
> >
> > Since my resolver can be set to *any* DNS server that I want, I fail to see how
> > an ISP could "NOT allow direct access to root". I just have to find a DNS server
> > that accepts recursion -- which can also be mine own trusted DNS server.
> >
>
> ISP's can block DNS requests through routing Access Control Lists.
This point happens to be important at this moment because
ISPs could either try to wield this power to avoid the user
from seeing other Internet root servers besides the NIC's
or ... just leave it as it is and forthrightly deny such right to
the clients. So, let me comment a bit more why this would
not really work.
Of course, no ISP can guarantee end-to-end connectivity
for their users -- so they may as well block DNS requests
and even reroute them. However, blocking and redirecting
packets on purpose and *against* the client's will in a
routine basis seems to me to be much different from the case
of an ISP not being able to guarantee end-to-end connectivity
for their clients.
In fact, in what you say, the ISP would be guaranteeing the
reverse, since the probability of interference with the clients'
expressed will would be a certainty. And, this act is not void
of bad consequences either -- as the original posting was actually
a complaint against such act. The damage from this act
is thus visible, it is not inconsequential and the ISP would
be restricting paid-for communications in order to obtain
an extra financial gain at the expenses of the client. Bad thing.
Further, it seems to me that if the ISP would try to avoid this
"bad thing" and require the client to sign a contract saying that
the client expressly renounces to any DNS name server but
that of the ISP, then the ISP would be in trouble of a different
kind since now the ISP (by denying any other option to the
client) would be liable for lack of proper DNS service (for
example, wrong, outdated or incomplete). Thus, the ISP
will probably not want to be fair and do this -- which is
further cause of deceit ;-)
So, this practice would be illegal if not consented and impractical
if consented. This goes a notch beyond my original comment
because now the ISP cannot do it even legally (because of liability).
;-) of course, if the client knows all this... but, if not expressly allowed
by the client (with the Catch 22 liability for the ISP) this would be
tampering with communications, a Federal crime in the US, and
I would have the logs to prove it. . So, this is not a DNS problem
but an FBI problem ;-)
There is also a third possibility to thwart the "evil" ISP.
I can do DNSSEC to a DNS server in other network.
Cheers,
Ed Gerck
More information about the bind-users
mailing list