Help Us Shape The Internet's Future

DNS Response Modification

17 September 2008

Host: Dave Piscitello, Security and Stability Advisory Committee

Audio: [English],[Español],(stream server)

Presentation: DNS Response Modification (PDF, 335K)

Video of the Adobe Connect Session: [] This is a recording of the visual part of the presentation. To follow the presentation in real time, please listen to the audio file simultaneously.

Description: The aim of this presentation is to describe the effects of DNS response modification on domain name registrants, DNS operators and Internet users, and to explore possible exploitation of the practice by bad actors. The focus will be on explaining the effects of and unintended consequences to users, domain registrants, and those who rely on non-existent domain responses for error reporting and administrative purposes.

In their preliminary report number 32, the SSAC describes the practise of DNS response modification by entrusted agents or third parties. In the first case, an entrusted agent receives a DNS query for a name. The entrusted agent determines that the name in the query does not exist in the zone file it hosts for the domain registrant but rather than returning a DNS response indicating a non-existent name, the entrusted agent returns a response indicating the name exists and containing an IP address mapping for the queried name of the agent's choosing. In the second case, a third party operating an iterative resolver receives NXDomain responses generated by an authoritative name server and silently alters the contents, changing the non-existent name response to one that signals name exists and inserting an IP address mapping for the queried name of the third party's choosing.

This behaviour is known by various labels: subdomain redirection, NXDomain redirection, NXDomain rewriting, NXDomain hijacking, subdomain hijacking, error resolution, and error marketing. These labels illustrate that the practice has commercial significance and is controversial."