John Pescatore

A member of the Gartner Blog Network

John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Coverage Areas:

Point-CounterPoint: Security Issues of Top Level Domain DNS Redirection

by John Pescatore  |  June 25, 2009  |  1 Comment

This week the Internet Corporation for Assigned Names and Number (ICANN) issued a report that recommended against the practice of DNS redirection by Top Level Domains (TLDs). The most common example of this is when you mistype a URL and rather than getting Error 404 you are redirected to a screen that usually has advertising and suggestions for which URL you may have meant to reach.

As part of my commentary on the SANS Newsbites newsletter, I said this about that:

Pescatore – There are some positive uses of top level DNS redirect, where the revenue from redirecting unresolvable queries to advertising pages subsidizes free security features. However, there are also many negative aspects that weaken security overall, like email related issues. While I’d really like to see DNS services be as tightly controlled as wired telephone number lookup services, I think the world has changed. We are probably better off seeing ICANN recommend some strict guidelines around TLD DNS redirection rather trying to outright ban the practice.

Back in 2003, Gartner analyst Lydia Leong wrote a research note against this practice when Verisign started its widely vilified Sitefinder service, so I forwarded the above to Lydia and she has blogged here reiterating the problems that TLD DNS redirection causes. In general, Lydia and I are in agreement that top level DNS redirection has more bad aspects than good but it is likely a genie that isn’t going back into the bottle. Lydia leans more towards stopping the practice, but I lean more towards allowing it with some standards applied. Here’s why:

Last year I blogged about the real need for industrial strength domain name services. But at the end of that post I noted “The directory problem – where is the trusted source to find email addresses or web sites? – is a whole nuther thing. We all seem to accept, and some even prefer, that cell phones don’t have directory services – the Internet isn’t going to be any better any time soon.” I expanded on this directory services issues in a blog post early this year about how the “key ring o’ trust” approach is supplanting centralized directory services:

This is basically the old PGP Keyring o’ trust approach that got pooh-poohed in the PKI heyday. But the social networking friends list and the IM buddies list have followed the cellphone model – no directories, just ring o’ trust. The problems of “key” update complexity didn’t phase anyone – avoiding the inconveniences and rigidity of central control triumphed. That model will continue to fight centralized and federated models, especially as the coming generation of folks who have grown up directory-less dominate the work force.

This is what’s driving me to believe we need harness this DNS redirection capability rather than try to stop it. When used right, it can basically be like a ring o’ trust mechanisms – if I trust a DNS service provider, it can steer me away from dangerous sites or indicate to me trusted sites, etc.

While in general I’m leary of relying on advertising-funded security features, the typo redirection approach that uses “tasteful/safe” ad revenue to cover costs does sort of represent the Internet way of doing things. In reality, its also how it worked in the telephone directory system in the good old days of regulated telephony – ads in the Yellow Pages were a huge cash cow to support free directory services.

At the TLDs there are many sensitive and critical issues to be dealt with – the possibilities for abuse are enormous, and Lydia points out many of the ripple effects of other things besides human-driven web queries that break with TLD DNS redirection happens. So, I’d rather see ICANN push for a SIG or working group to define requirements for how TLD DNS redirection should be done to maximize the benefit and minimize the potential for evil.

1 Comment »

Category: Uncategorized     Tags:

1 response so far ↓

Leave a Comment