NXDOMAIN redirection in BIND 9.9
warren at kumari.net
Sun Oct 2 19:11:46 UTC 2011
On Sep 30, 2011, at 7:43 PM, David Miller wrote:
> On 9/30/2011 6:21 PM, Shawn Bakhtiar wrote:
>> "We came to the conclusion that no matter how much we wanted it to not be true, people find a way to do NXDOMAIN if they want to. The issue is not ours to push, it's between the ISP and the customer ultimately, and people will do it -- and more intrusively -- than BIND 9.9 will."
>> That is just giving in. To what WILL end up being akin (is akin) to taking away access. The argument that everyone is doing it so let's just facilitate it is a bad one. This is a cave in to bad behavior which borders on freedom of speech violation, since your sanctioning the ability to arbitrarily redirecting (without redirecting) content. Important part being the sanctioning of.
> You get to run your network how ever you like. This is your right. Turn the feature on if you like -or- make sure it is off if you don't like it.
> You don't get to tell others how to run their networks. Well... you can tell them, but they don't have to listen to you...
> Many organizations want to do NXDOMAIN redirections on their resolvers on their own internal networks or on guest wireless networks or on whatever networks they control for whatever reasons they like.
> Other resolvers have had the ability to do NXDOMAIN redirections for many years. The pressures keeping ISPs from implementing NXDOMAIN redirections has never been the fact that BIND didn't support it.
> You are going to have a hard time making the case that NXDOMAIN redirections are a "freedom of speech violation", but the place for that argument is in the court room.
> Instead of seeing this as a "sky is falling" event, why not see it as an opportunity to create your own resolving DNS service that does not do NXDOMAIN redirections? Then every ISP that implemented NXDOMAIN redirections (using BIND or any of the myriad of other software that will do it) would be another potential group of customers for you.
See 184.108.40.206, 220.127.116.11.....
From the FAQ:
"How does Google Public DNS handle non-existent domains?
If you issue a query for a domain name that does not exist, Google Public DNS always returns an NXDOMAIN record, as per the DNS protocol standards. The browser should show this response as a DNS error. If, instead, you receive any response other than an error message (for example, you are redirected to another page), this could be the result of the following:
• A client-side application such as a browser plug-in is displaying an alternate page for a non-existent domain.
• Some ISPs may intercept and replace all NXDOMAIN responses with responses that lead to their own servers. If you are concerned that your ISP is intercepting Google Public DNS requests or responses, you should contact your ISP."
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
More information about the bind-users