NNSquad - Network Neutrality Squad

NNSquad Home Page

NNSquad Mailing List Information

 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ NNSquad ] Re: Comcast files "recommended practices" draft RFC with IETF for DNS Redirection

Thank you for answering my questions in some detail.  Your answers don't alleviate my concerns, but my investigation of OpenDNS's web site did not provide answers to some of the more troubling concerns about aspects of your business.

I will share some of my remaining concerns, which surround some of the more clever and non-standard aspects of your service.

1. Since you apparently have significant investors and also have a business model based on "free" service and the implication of high reliability and a fair number of employees to be paid, one wonders where the ROI comes from.  Your site doesn't explain this, and several of the features pose significant concerns.  In your mail below, you suggest that you do not record or use any of the data that you capture about customers' DNS usage, and you never will.  How, then, do your investors intend to make money?  I am skeptical of implications of eleemosynary purity.  And the following from your Privacy Policy would seem to contradict this:

Affiliated Businesses
We are affiliated with a variety of businesses and work closely with them in order to provide our services to users. We will only share personal information with affiliates to the extent that is necessary for such affiliates to provide the services. For example, when a website visitor searches on OpenDNS, the IP address and query are shared with OpenDNS's advertising partners. We require our affiliates to provide the same level of privacy protection that we do and they do not have the right to share or use personal information for any purpose other than for an authorized transaction. Some of our affiliates may be located outside of your home country; by using OpenDNS's websites, you consent to the transfer of such information to them.


2. Your claim is that you provide protection against content types and so forth.  Yet you do this at the DNS level, not at the content-addressing and naming layer.  What this means is that "adult" content on a website can cause failures to reach, for example, a non-HTTP service that is intended ONLY to accept data that happens to be hosted in the same DNS domain as some adult content.   How do you explain to your customers this "overbroad" protection associated with "host names" rather than websites?  All of your documentation focuses on "websites", which is fundamentally confusing your customers as to the actual technical impact. Regarding this "overbroadness" there is a less intrusive solution: You could have offered a web-proxy service, rather than a DNS service, which targets only web site lookups rather than all DNS lookups.  Such a solution would have perhaps been slightly more complex to implement, but would have had a variety of benefits and far fewer downsides. I would recommend it.

3. There are deep questions about how your policies of what sites are blocked are determined.  Controversial political issues such as "gay marriage" and the Armenian mass killings or discussions that target certain religious believers are not easily decided, yet your company puts itself in the position of making decisions based on these matters.  This puts your company in a legal position where it must take on liability.  Does it take this liability seriously?  When do you disclose your decisions to customers?  How?

- David


On 07/10/2009 11:49 AM, David Ulevitch wrote:
Despite what appears to be a troll, I'll reply:

1. We're the safest DNS option around.  We're the only DNS service in existence blocking the 0-day MS vulnerability ( http://voices.washingtonpost.com/securityfix/2009/07/microsoft_internet_explorer_ex.html?wprss=securityfix ) and we were the only DNS service that protected users with the Conficker A/B worms from having their infected computers phone home the botnet C&C.  This is in addition to all the other security measures we've placed in the DNS.  It's also worth nothing that outside of DJBDNS (DNS software for workstations) and PowerDNS (a niche DNS software) we were the only major DNS provider on the entire Internet, including ALL major ISPs, that was never vulnerable to the Kaminsky attack of last year.  Unlike any other DNS service or provider in the world, we let our users twiddle the knobs and buttons to get the DNS experience they want.  We don't log and sell their data, or anything like that.

2.  Of course people Opt-In to use OpenDNS.  We deliberately don't work with ISPs.  I suggest you try us out for yourself and see.  Or if you're too lazy, just use google to see what folks say about us.  The benefit of having so many users is that a large percentage of them blog and tweet about us.  You'll see the positive reviews dramatically outweigh the negative reviews.

As an aside, some of our users do turn of the nxdomain redirection service, and still use us; and that's completely fine.  It's my goal to give users the ability to control their DNS experience as they see fit.  I'm not sure how you missed that as you seem like a fairly smart dude.

But like I said at the top, I think this was a troll, so this is my one and only "bite." :-)

HAND,
David



On Jul 9, 2009, at 6:05 PM, David P. Reed wrote:

Mr. Ulevitch - I suspect "spin":

1. Please explain the odd meaning of the word "safer" implied by your statement.  If the FTC were to explore whether there is a true "safety" benefit for people, please explain the risk. implied by getting an error message from a browser that the site named does not exist?

2. And for that matter, I am not aware of 12 million people opting "in" to OpenDNS via a legally meaningful customer choice selection where the "benefit" of having names resolved to non-existent sites is explained.  It would be misleading to make the statement you make below if they were "slammed" by ISPs or other companies without their explicit consent beforehand.  Your case would be reasonable if indeed you have records of 12 million individual names who will indeed agree that they chose to use OpenDNS as a matter of free positive action.  I doubt you can produce an auditable list of such names that one can contact to verify your claim, but feel free to produce one.

On 07/09/2009 07:12 PM, David Ulevitch wrote:
I can't speak for the ISPs motivations, but you're right that they are probably driven by profits (though I'd argue they are going to be getting short-term profits and the expense of long-term unhappy customers) but I will point out that there are lots of legitimate reasons people want to do DNS error redirection.  12 million + people have opted to use the services of my company, OpenDNS, to make their internet safer and more reliable.  That's why I was willing to lend a few thoughts to the IETF document.  

-David


On Jul 9, 2009, at 2:06 PM, David P. Reed wrote:



http://tools.ietf.org/html/draft-livingood-dns-redirect-00

I note that this draft RFC proposes practices that routinely return
*valid* responses to erroneous DNS lookups, and encourage an opt-out
policy rather than an opt-in policy.

The sole justification is that the default way that a browser such as
Firefox or IE would present an error message is inadequate for users,
thus an ISP should take matters into its own hands to fix that cosmetic
problem, rather than asking the browser vendors to do a better job!

And the side effects identified do not include the impact on http
requests not generated by typing into web browsers, but instead used as
part of "web 2.0" service apis and other uses of port 80 that do not
arise from end users typing into the url bar of their browser.

One might ask why the sole justification given  for this misuse of DNS
to patch an application weakness is the only one?

And even more so, why this is such an urgent problem that ISPs must fix
it via a flawed and risky solution, rather than the makers of browsers
fixing it in the most logical place?

The potential to disrupt non web-browser features is noted in the "draft
RFC", but instead of a balanced analysis of benefits and costs to other
uses, the draft is silent.  In fact, the draft refers to this as
"enhanced" functionality.

I expect the wiser heads at the IETF to prevail....  This is a solution
to a non-existent "problem", with bad side effects.

While this is not exactly the same as directing a misdialed phone call
to call a Caribbean phone company number with the consequent  and
unavoidable billing charge to the user, it seems very close to that sort
of thing - a surprise to all application developers, and a modification
to the expected semantics of directory lookup.

  [ I agree with David.  If IETF goes along with this proposal, there
    is something very rotten in Denmark.  What's really amusing about
    the referenced document though is that for all its verbiage in
    which it tries to establish a "need" for such DNS redirect
    services -- mostly focused on highly questionable assumptions
    about malware protection and legal mandates -- it fails to
    mention the primary reason that ISPs implement DNS redirects.

    This is of course use of such DNS diversion services to create
    profit centers, by shunting users to ISP-affiliated search
    engines and affililated ad delivery services, attemping to
    monetize users' interactions with the broader Internet by
    capturing low-level transactional communications to which the ISP
    has privileged access.

        -- Lauren Weinstein
           NNSquad Moderator ]