A good bit of the attention garnered by DMK’s ToorCon presentation focused on how ISPs are employing Provider-In-The-Middle Attacks (PITMAs) to collect ad-related revenue from their customers, and how security “of the web” ends up being fully gated by the security of the ad server folks. While I completely agree with this, I would emphasize (as DMK did subtly note) that, even for the attacks DMK outlined, you do NOT have to be the ISP/packet data path at all to molest Internet users, just in the DNS “control path”.
While certainly not meant to be an exhaustive list, here are five techniques that various folks in the DNS control path can employ to perform similar or adjacent questionably ethical activities.
- Domain tasting: Exploit the add grace period (AGP) and perform domain tasting. Register a domain you think to be clever or closely associated with something useful (e.g., googgle.com) — you’ve got 5 days to see how many hits you get on a site associated with some newly registered domain. If you garner enough activity to cover the domain’s registration fee, register the domain. If not, return it under the AGP policy and find some new ones, or perhaps consult a more-clever colleague for other recommendations. Expand upon this with domain kiting…
- Domain name front running: Do you run a whois server? Are you a DNS registrar? If so, engage in domain name front running. Field all the queries checking for availability of new domains, and if they’re not registered, take’m, register them yourself! Then you can park spam-like crap there, or force those unsuspecting clueless Internet users who used your site to check for availability to register them with you or not at all.
- Domain name front running enabled by non-existent domain (NXDOMAIN) data: Determine what the most common typos or queried domain names are. Register them, park’m somewhere, and collect click revenue. If you’re anywhere in the DNS query resolution path, from the local resolver to the root, you’re in the money! And you’ve even got a good source of historical data for forecasting hit rates, no need for that unnecessary domain tasting business, it’s just overhead. Got integrity issues with this? There are folks that will buy the NXDOMAIN data from you if you prefer the hands-off approach.
- Become a DNS services provider and hijack customer subdomains: Cash in on customer subdomains. Make it legal by writing some subtle contractual language (e.g., Schedule A, number 11) buried deep in the service agreement, then park a bunch of crap on generic pages within your customers domains and generate some new revenue sources.
- Synthesize DNS query responses that result in NXDOMAIN: Operate DNS resolvers? Or Authoritative DNS servers? Or TLD servers? Replace responses that would normally result in NXDOMAIN responses with wildcards to sites that contain a bunch of ad-related crap. Sit back and get fat as the money rolls in! This is most akin to what DMK was speaking off, though you might find various related mechanisms in the preceding technique as well.
What’s your DNS resolution provider’s policy with regards to handling query data or fielding responses for non-existent domains? What’s your DNS service provider’s policy? What’s your ISP’s policy? Note that not all providers maintain their own resolvers, some may use the resolvers provided by upstream ISPs, or perhaps companies expressly focused on “DNS services”.
This discussion relates closely to the “Internet transparency” comments I had yesterday. I don’t believe any of the net neutrality discussions to date include DNS providers or resolution services, nor am I convinced they should. However, I believe the scope of this to be much larger than with just the ISPs themselves.