Verizon's DNS Policy May Be Bad, But It's Not A Network Neutrality Violation

from the red-herring dept

Wed, Nov 14th 2007 8:49pm — Timothy Lee

While Comcast has been getting a lot of flack for blocking BitTorrent, some network neutrality activists have also been calling out Verizon for the way its DNS servers work. The DNS specification requires that servers return an error if the user tries to look up an invalid domain name. Instead, Verizon's DNS servers re-direct users who mistype an address to a Verizon-branded search page where Verizon gets to display advertising. (Incidentally, my ISP, Charter, does the same thing.) I agree with Ed Felten that this "feature" is obnoxious, especially because it can break applications that expect to receive DNS error messages. But I don't think it's really a network neutrality issue. Verizon's DNS server does not "block, interfere with, discriminate against, impair, or degrade" anyone's access to Internet content or services, which was the standard proposed in last year's Snowe-Dorgan legislation. Users who type correct URLs aren't impeded in any way from accessing the sites they want to visit. Responding to a failed DNS query with a search page is probably a bad idea, but it's very different from "redirecting a user from Google's search page to Verizon's," which the article implies Verizon might do in the future. Moreover, it's worth keeping in mind that you're not required to use your ISP's DNS server at all. ISPs provide DNS servers as a courtesy, the same way they might provide you with a free email account. But you don't have to use it. You're free to point your computer to another DNS server, such as OpenDNS, just as you can use a third-party email service such as GMail. And if you do that, the settings of Verizon's DNS server won't affect you at all. It's definitely fair to criticize Verizon for failing to follow the DNS specification, but calling it a network neutrality issue is a bit of a red herring.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: dns, network neutrality
Companies: verizon

31 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 14 Nov 2007 @ 9:38pm

Yeah, but if you switch to OpenDNS, they support themselves by serving their own pages with ads on failed lookups, too. So that's not going to solve any technical problems such "results" might cause in some circumstances and it then becomes an issue of whether you want to give Verizon's ad department your eyeballs or OpenDNS's.

Now, I do use OpenDNS. I do this because COmcast's DNS servers were RIDICULOUS. For a period of three weeks, I could not reach ANY domain ending in google.com for about six hours (6pm to midnight) every single night. I finally switched to OpenDNS.
[ link to this | view in chronology ]
Joseph Beck, 14 Nov 2007 @ 9:46pm

Unfair
There's a term for this - typosquatting. It might not be illegal, but it is unethical.

If someone tries to visit my site but misspells the URL, I want them to see "Page Not Found" and let them try again. But instead they'll see Verizon's page, and some visitors won't understand what has happened or realize that they typed the name wrong.

This raises trademark issues as well, because Verizon will be able to make money from misspelled trademarked names.
[ link to this | view in chronology ]
Rob, 14 Nov 2007 @ 9:50pm

Shall we start a betting pool on how long until OpenDNS is blocked by the major ISPs?
[ link to this | view in chronology ]
- matt, 14 Nov 2007 @ 10:07pm
  
  Re: opendns
  sure rob, how about never? I'll put 50 bucks on that anyday, because there is absolutely nothing wrong with openDNS, makes it easier on major providers anyway.
  [ link to this | view in chronology ]
  - Benjamin M. Orsini, 14 Nov 2007 @ 10:47pm
    
    Re: Re: opendns
    Verizon makes money on those ads so why wouldn't they block OpenDNS to protect that revenue? A commenter here recently reported Comcast blocking OpenDNS. And back when I had Cox for an ISP for a while they were blocking French ISP's for political reasons. I doubt they would hesitate to block OpenDNS too.
    
    I wish I had 50 bucks for every time some loud mouth welshed on a 50 buck bet.
    [ link to this | view in chronology ]
???, 14 Nov 2007 @ 11:34pm

???
I use 4.2.2.2 a forwarder now and then it certain situations, and I have never had a page return a verizon search page.
[ link to this | view in chronology ]
Prodiem, 14 Nov 2007 @ 11:40pm

It's kinda bad but..
I use a list of the root DNS servers period. Comcast and Verizon in my area have dns servers that are hammered. Now, I am using a dns server within my firewall to cache locally.

It was a purely performance related descision, waiting 20-30 seconds for dns to resolve because providers main dns server went toes up just made the descision easy.

Netiquette does state not to do this, but I really can't find any better solutions, that have been reliable.
[ link to this | view in chronology ]
Max Powers, 15 Nov 2007 @ 12:16am

Unfair is right
I had a friend tell me about this problem when he misspelled my website URL but I didn't understand how that could happen.

I never heard of the term "typosquatting" before today. I learned something new today. And Rob, I think the betting would be too one sided.
[ link to this | view in chronology ]
martin, 15 Nov 2007 @ 2:00am

The real problem i see with that redirection is not www, but everything else. Mails for instance go to Verizon instead of being bounced.

@7: That's not just against netiquette, you hurt the network. badly. if everyone who has a dumb provider did this, no one would get resolution at all. It's like phoning up the chief justice because you think your local police force is too slow.
[ link to this | view in chronology ]
John, 15 Nov 2007 @ 3:54am

You are wrong.
I just tried it. Typed in some bogus URL on my Verizon FIOS service. Verizon took my attempt and fed it to yahoo search for me automatically. I think they are just trying to help the grandmas who don't know what they are doing.

The only ads that appear are the ads that normally appear if you type the url in a search engine.

I think you completely missed the point of what they are doing, and it's yahoo feeding ads, not verizon.
[ link to this | view in chronology ]
christopher (profile), 15 Nov 2007 @ 4:33am

Umm, I call shenanigans. Verizon DOES block your ability to use 3rd-party mail servers. GMail is web-based, son. A server at a friend's ISP, connecting over port 25, is BLOCKED by Verizon, period end of story.

Now, I use another port and so go my merry way, but Verizon, having blocked port 25, can block any ports they wish under the same guiding principle. Verizon sets limits.
[ link to this | view in chronology ]
- Tim Lee, 15 Nov 2007 @ 5:07am
  
  Re:
  Really? That would be big news if it could be confirmed. I've got Charter, which does the same thing with DNS but doesn't block third-party email.
  [ link to this | view in chronology ]
- Anonymous Coward, 15 Nov 2007 @ 7:11am
  
  Re:
  Isn't that standard practice? To (somewhat) prevent spoofing email, ISPs require outbound mail to go through in-house servers, but inbound on port 110 can be any source you have access to.
  [ link to this | view in chronology ]
  - Anonymous Coward, 15 Nov 2007 @ 6:00pm
    
    Re: Re:
    Isn't that standard practice? To (somewhat) prevent spoofing email...
    It's more to tie customers to the ISP's e-mail address and make it more difficult for them to switch providers.
    [ link to this | view in chronology ]
- Frogskins, 15 Nov 2007 @ 9:46am
  
  Re:
  You can call shenanigans all you want about Verizon blocking port 25. They do it because Verizon states quite clearly in the TOS that as a residential customer, you are not permitted to run servers. Sign up for a Verizon business DSL account and they no longer block the ports.
  [ link to this | view in chronology ]
- Anonymous Coward, 15 Nov 2007 @ 11:09am
  
  Re: Use port 465
  and encryption. It's not that hard to do and if you think that outbound mail can only go over port 25, then you are probably best off sticking to your ISPs email service/server.
  [ link to this | view in chronology ]
Mike4, 15 Nov 2007 @ 5:15am

I'm curious to try this when I go home tonight. I have Verizon FIOS (no, my house never caught on fire) and I've never noticed this. I wonder if it only applies to DSL.
[ link to this | view in chronology ]
tweak, 15 Nov 2007 @ 5:23am

It is a well established fact that Verizon blocks ports 25 and 80. However, having said that, I haven't had any trouble with anything, aside from setting up a personal web server. I use GMail through POP3, as well as the web interface, and have email from other non-Verizon providers, and have never had an issue...
[ link to this | view in chronology ]
nedu, 15 Nov 2007 @ 5:39am

DNSSEC
According to the German (.de) Registry DENIC:
Deployment of DNSSEC for .de is currently constrained by a side effect of DNSSECbis, called "zone walking". Zone walking would allow for anyone to gain access to all names within the de zone, providing keys not only to all registration data but also immediately disclosing all changes to zone data. DENIC as well as other registries (mostly, but not exclusively European ones) regard this side effect as incommensurate with data protection liabilities.

Nevertheless, DENIC does appear to support DNSSEC in principle.

Verizon's search, though, gives them a financial incentive to oppose DNSSEC deployment.

Returning a bogus A record, rather than NSEC, is inconsistent with the DNSSEC design goals.
[ link to this | view in chronology ]
A1chemyst, 15 Nov 2007 @ 5:45am

Verizon - not a new thing
This is not something others have not tried:

VeriSign tried this in 2003 and were creamed in the NetCommunity. There was talk of going to ICANN to appeal Verisign's contract. A patch to BIND was made to prevent teh redirection.

Microsoft's IE redirects bad URLS to the MSN search, but you can change that in the IE settings.

Everyone point there system to Verizon's DNS and run a program to send random URL's to the system; a few hundred every minute. That'll shut them down soon enough.
[ link to this | view in chronology ]
Haywood, 15 Nov 2007 @ 5:45am

I'm somewhat baffled as well
I've had Verizon DSL for years and haven't seen that. Perhaps it is because I use Firefox, but I get the 404 messages & such and don't even know what their search engine looks like.
[ link to this | view in chronology ]
- Tim Lee, 15 Nov 2007 @ 6:12am
  
  Re: I'm somewhat baffled as well
  I think this might only happen on their new FiOS network.
  [ link to this | view in chronology ]
Steve R. (profile), 15 Nov 2007 @ 5:45am

Where is the Demmand that Verizon Stop this Abusiv
One of my major complaint themes has been that corporations are acting unethically. Many times I have been directed to "fake" websites, either through the result of typographic errors or the simple fact that the website I was seeking no longer exists. I also have found that internet searching has been "corrupted" to return irrelevant results that appear to be relevant. While I can appreciate that corporations need to make money, it is unfortunate that corporations result to these underhanded tactics.

What I also find unfortunate, is that there is little public criticism of corporations for this abusive and secretive behavior. Sure, Verizon and Comcast are generating a lot of press on the internet and it is recognized that this behavior is abusive, but the public debate seems stuck on arguing the technical minutia of whether or not these companies are or are not violating certain technical standards.

While this debate is useful it misses the critical points that these companies are not being "transparent" or honest with the public. The "red-herring" in this case is arguing technical minutia to avoid the fact that these companies are not acting in a transparent and open manner. Companies that hide unethical practices should be exposed with demands that these abusive practices be stopped.
[ link to this | view in chronology ]
- Anonymous Coward, 15 Nov 2007 @ 5:58am
  
  Re: Where is the Demmand that Verizon Stop this Ab
  Steve,
  
  If the debate isn't well-grounded in the tech, then it just devolves into bias, prejudice and name-calling.
  [ link to this | view in chronology ]
  - Steve R. (profile), 15 Nov 2007 @ 6:29am
    
    Re: Re: Where is the Demmand that Verizon Stop thi
    I will agree that tech plays a rule, but you need to look at the results. Results are provable facts too, so it isn't bias and name-calling. If I make a mistake when typing in URL and I get my.unethicalretail.com instead of a message "Please try again" that is clearly factual proof that the the company is using technology to mislead the user.
    [ link to this | view in chronology ]
Rich Kulawiec, 15 Nov 2007 @ 8:16am

The hazards of presuming
that "web" and Internet" are synonymous.
One of the many problems with this ill-conceived idea is that it presumes that DNS is used solely to support HTTP. It's not, of course, and the impact on other protocols can be substantial.
For example, it is a best practice to refuse mail which purports to be from any host or any domain that does not resolve, or from any IP address which does not resolve to a host.
To illustrate: I get an incoming SMTP connection from 1.2.3.4. I lookup rDNS for 1.2.3.4; if that lookup fails, I 550 the connection and hang up -- the host has failed to meet minimum requirements for SMTP clients. If that lookup succeeds, I query forward DNS for the hostname I just got back, and 550 the connection if it doesn't resolve. If that test succeeds, and I allow the SMTP conversation to continue, then eventually the other side will specify a sender, say fred@flintstone.example.com. I then look up example.com; if that lookup fails, I 550 the connection and hang up -- it's foolish to accept mail from domains that don't exist. If that lookup succeeds, I pull the MX records for example.com and see if they're valid -- if they point to bogon space, I 550 the connection and hang up, because the message can't be replied to, therefore there is no point in accepting it. I might also check for flintstone.example.com -- is there an MX record for it? Is it covered by a wildcard MX? Is there an A record (so that I can fall back to that in the absence of an MX record)?
The gist is that these are all basic sanity checks designed to refuse mail that's either (a) obviously bogus or (b) coming from an incorrectly-configured host, since long experience (long painful bitter experience) has shown that the only way to get the attention of operators of such hosts is to make the problems obvious to them. These basic sanity checks have as a desirable byproduct considerable effectiveness against unwanted SMTP traffic. (Which is why some MTAs, e.g. sendmail, include them as easily-configurable options.)
Now consider what happens to them if someone starts forging DNS replies a la Verizon. Consider further what happens if those forgeries start happening with no warning. And consider still further that this is just one small example with just one of many application protocols that rely on DNS returning what it's supposed to, not what is convenient.

The bottom line is that this is a really, really bad idea executed by a company that's clearly trying to monetize DNS without regard for the degradation of service it's imposing on its own customers.
[ link to this | view in chronology ]
David Ulevitch, 15 Nov 2007 @ 10:20am

Comcast blocking OpenDNS? Nah...
As for the report above that Comcast was blocking OpenDNS -- we've never heard a single report about it. Probably some other issue related to the individual user in question.
[ link to this | view in chronology ]
- Benjamin M. Orsini, 15 Nov 2007 @ 5:56pm
  
  Re: Comcast blocking OpenDNS? Nah...
  As for the report above that Comcast was blocking OpenDNS -- we've never heard a single report about it. Probably some other issue related to the individual user in question.
  
  I'm glad to hear that.
  [ link to this | view in chronology ]
Derek Mark Edding, 16 Nov 2007 @ 5:50am

The worst thing about typo-squatting, IMO, is that it deprives me of the opportunity to fix the typo and move on. I put in a URL that was off by one letter. Then suddenly the browser is redirected off to some ridiculously long address.

If the typo was still there I could hit two keys and fix it. Since EarthLink (or Comcast) butted in, I have to start over from scratch. And if I make another typo on the last letter, it's time for some deep breathing exercises... :p
[ link to this | view in chronology ]
Mike Fratto, 5 Dec 2007 @ 5:32pm

VZ Wierdness
I am a FiOS customer and they do have a way to disable this feature by manually configuring DNS, but I was researching this while writing up a blog and I found something interesting (at least to me).

If you type in random text ending in .com or .net, it will send you to a landing page. If you type in key words like camera.photo.lens.kdhfidhufd.com, you get a host not found! There are other non-random names that will return a host not found. I don't think they are using wildcard dns (at least not as specified by rfc 1034), but something else.
[ link to this | view in chronology ]
AC, 1 Aug 2013 @ 3:41pm

Verizon using DNS to censor sites
They are now intercepting DNS queries to non-Verizon DNS servers and redirecting the query to the intentionally broken Verizon DNS servers. They are also using DNS to censor parts of websites - nytimes.com - you can reach the base address fine, but attempts to access certain pages are redirected to Verizon's fradulent advert/error page.

These blocked pages are invariably political in nature.
[ link to this | view in chronology ]