[100689] in North American Network Operators' Group
Re: Hey, SiteFinder is back, again...
daemon@ATHENA.MIT.EDU (Stephane Bortzmeyer)
Mon Nov 5 11:22:24 2007
Date: Mon, 5 Nov 2007 17:16:11 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Andrew Sullivan <andrew@ca.afilias.info>
Cc: nanog@merit.edu
In-Reply-To: <20071105155404.GA27714@dba3>
Errors-To: owner-nanog@merit.edu
On Mon, Nov 05, 2007 at 10:54:05AM -0500,
Andrew Sullivan <andrew@ca.afilias.info> wrote
a message of 29 lines which said:
> One could argue that it is less evil to do this at recursive
> servers, because people could choose not to use that service by
> installing their own full resolvers or whatever.
It depends.
There are three possible ways for an access provider to do it, in
order of ascending nastiness:
1) Provide, by default, DNS recursors which do the mangling but also
provide another set of recursors which do the right thing (and the
user can choose, for instance via a dedicated Web interface for his
account).
2) Provide DNS recursors which do the mangling. Power users can still
install BIND on their laptop and talk directly to the root name
servers, then wasting resources. (Variant: they can add an ORNS in
their resolving configuration file.)
3) Provide DNS recursors which do the mangling *and* block users,
either by filtering out port 53 or by giving them a RFC 1918 address
with no NAT for this port.
I've seen 1) and 2) in the wild and I am certain I will see 3) one day
or the other.
