.MS: Alternate Root and Monoculture as Good Things

why shouldn’t there be a .Sunshine tld? why not one for microsoft? this post is not about alternate roots or why they are bad, this post is about something else. we do need to go over some background (from my perspective) very quickly though.

icann has a steel-fist control over what happens in the dns realm. they decide what is allowed, and who gets money from it. whether it’s verisign for .com or any registrar for the domains they sell. they decide if .Sunshine should exist or not.

they decide if i can have .גדי (which if encoded correctly on your pc you can see as .Sunshine in hebrew), which would be a tld in hebrew.

there is a very good reason ‘why not’. it would be circumventing what is currently known as the dns. the root servers, the tld servers, and so on, creating confusion and chaos online, according to some (and to a level, me).

yet with the united states via icann controlling that system, kicking the rest of the world out, and with other countries such as china, creating their own as a result.. i see no reason why microsoft, as an organization, can’t.
microsoft in this case was an arbitrary choice by me, as an example, much like .Sunshine was.

this has been discussed to death, and in my opinion, the us has been self-marginalizing itself looking at short-term income and control over long-term separation and kick in the nuts from the rest of the world.

what i am here to discuss is why microsoft, as a non-arbitrary choice this time, indeed, of all the world, should kick it aside, creating an alternate root while at the same time not disturbing the world’s dns. they are the only ones in this world with the muscle to do it. monoculture can also be a good thing for security.

.ms – montserrat
it already exists as a cctld. shame.
they could, in all likelihood, get .msft if they tried hard enough, in the current root system. i don’t see why they should even try.

what they can do, for a rather low cost, is add something to their next operating system and web browser (vista and ie 7) to recognize .msft, and act accordingly.

there is a wonderful legacy creation, predating dns, called the hosts file. using this file, users and malware can input names to be resolved. as an example, my hosts file has an entry for the following host:

127.0.0.1 localhost

so that whenever i try to resolve localhost, i get to 127.0.0.1 which is my loopback address. the same could be done to www.google.com, pointing it to whatever address the user or malware wants it to be pointed to. this happens quite often in the malware world.

there are phishing sites and dns hijacking is also known to happen, why risk it? why risk the root servers going down? why not create a site (at the very least) for users to be able to safely go to, regardless of what’s happening outside of their computer on the dns? whenever a user tried to go to .msft, the tld would be recognized as one belonging to microsoft, and a microsoft dns root server would be contacted. microsoft.com would still be under the control of the dns, so that wouldn’t work as well.

you could have: live.msft or msrc.msft, msn.msft, etc. microsoft could also create other tlds, and why shouldn’t they?
.live
.msrc
.msn

or just, even:
live
msrc
msft
microsoft

regardless of how far they could take this, they won’t be messing with the global root system as hey, icann is not about to add a .msft tld, right? microsoft is everywhere, and they would be serving windows users. their own clients. to their own ip addresses.

i say they should go for it. they won’t be breaking any laws nor stepping on icann’s feet. they could call it something else if dns is too loaded a word.

security and more importantly, business-wise, this can be a very cool and relatively easy “feature” to implement.

naturally, once compromised, a machine could be fooled to go elsewhere even if microsoft were to embed this deeper than the hosts file, but it would be really neat for all other, related, network-based attacks. it would help microsoft’s network security as well and not just their users, depending on how they may implement this.

a monoculture with windows machines everywhere is dangerous, potentially, one bug or one bad patch and we are done for. why not use it for good and business while it’s here, as it is not going anywhere?

why not cisco next for their routers?
why not ebay? whether via microsoft’s new system as clients, or on their own, adding an address to the hosts file (hoping some malware doesn’t change it, and one would).

think about it.
even if it never does get implemented, it’s a pretty neat idea, in my completely unbiased opinion. :)

gadi evron,
ge@beyondsecurity.com.

Share
  • http://www.BeyondSecurity.com Aviram

    “Yet with the United States via ICANN controlling that system, kicking the rest of the world out, ”

    Hey, if my memory serves me right, it was the US that built the Internet and invited the rest of the world *in*.

  • sunshine

    The US also lets in aliens (and not the ET type).

  • dnsapi

    hmm, “hostsfile” ? Rather old stuff..

    better use dnsapi.dll

  • http://www.circleid.com From CircleID

    # by valdis kletnieks | sep 18, 2006, 12:03 pm pdt | link

    ok sunshine. i’ll bite. i get an e-mail from somebody that says “dood. check this new update out, your site needs to install it.”. (assume it’s actually a link from somebody i actually trust enough to follow a link and not some worm claiming to be a microsoft security update).

    and the link points off to somewhere in *.ms or *.msft..

    % cat /etc/issue
    fedora core release 5.92 (fc6 test3)
    kernel \r on an \m

    *bzzt*. thank you for playing, but that url is useless to me.

  • http://www.circleid.com From CircleID

    # by sunshine | sep 18, 2006, 09:42 pm pdt | link

    well, i think fedora is kinda a linux distribution. ;)

  • http://www.circleid.com From CircleID

    # By Valdis Kletnieks | Sep 18, 2006, 11:05 pm PDT | Link

    Exactly. That’s the *point*.

    How do I access the URL if I’m not running (insert frobnitz to grant access to wonky alternate root here)? That’s the problem with *any* alternate root – it Balkanizes things.

    Another query for you – how would said Web page ever get indexed by Google? :)

  • http://www.circleid.com From CircleID

    # by sunshine | sep 18, 2006, 11:10 pm pdt | link

    that’s my point. only microsoft customers would be using it. without ever touching the dns.

  • http://www.circleid.com From CircleID

    # by sunshine | sep 18, 2006, 11:11 pm pdt | link

    it can be indexed by.. msn. :)

  • http://www.circleid.com From CircleID

    # By The Famous Brett Watson | Sep 18, 2006, 11:24 pm PDT | Link

    The problem with the “hosts” file itself—the primary reason why the domain name system was invented at all—is that it doesn’t scale. That’s why DNS is a distributed database. I seriously doubt that the hosts file can be used to extend DNS in any practical manner.

    That’s neither here nor there, because every instance of Windows contains a resolver—the software that looks up DNS and hosts file entries. Should Microsoft wish to, shall we say, “embrace and extend” the DNS, it is in the perfect position to do so. What’s lacking is any real motive. A “.msft” domain is shorter than “.microsoft.com”, but is that so great a benefit that it warrants monkeying around with the resolver?

    Two other scenarios spring to mind: Microsoft sets itself up as the only “alternative root” provider with the clout to establish critical mass rapidly, or Microsoft modifies Internet Explorer to have “Site Finder” functionality and associated ad revenue. Both of these would be obvious abuses of their monopoly position, and likely to attract legal action.

    Ultimately, however, I don’t think it’s the threat of legal action which would deter them. I believe that Microsoft’s main goal is to maximise lock-in to their product, and I simply don’t see the DNS as offering any great opportunities in that regard. I’d be genuinely surprised if they did it just for the money.

  • http://www.circleid.com From CircleID

    # by sunshine | sep 18, 2006, 11:28 pm pdt | link

    indeed, and yet it is so “cool” security-wise. why “extend” the dns? it is as unrealted as anything, if done just for their clients for support issues.

    how does it differ from the old .hlp files? these have been replaced by web page! :)

    still, it could be interesting in the search engine wars, potentially.

  • http://www.circleid.com From CircleID

    # By Valdis Kletnieks | Sep 19, 2006, 12:01 am PDT | Link

    “Only Microsoft users would be using it. Without touching the DNS”.

    And what compelling content would you put under this domain? You’re pretty much stuck with only using it for hidden under-the-cover things due to the leakage problem. It’s probably not even safe to put Windows Update out there, because even those URLs have a tendency to leak.

    Even hard-coding IP addresses in a URL isn’t as bad – if 66.257.12.19 isn’t the webserver anymore, you can serve up content that says http://66.257.12.27/ instead, and Joe User will get to the right place, and you only get screwed if Joe User decides to bookmark the link. But if their host file has the old IP address, http://neat-o.msft/ will go to the wrong place *forever* (unless you’re seriously suggesting that on a properly run system, a Joe User userid has the privs needed to update the host file).

    You apparently have never had to do a large-scale change of a hard-coded IP address for a large network (including the *very* real problem of fixing people who still haven’t gotten the news 6 months later – the support desk just *loves* that sort of call). I’ve had enough fun with that sort of mess on a 30K user network. 600 million Windows boxes that can potentially get out of sync? The mind boggles at the support issues.

    When I got on the net some 22 years ago, DNS was *just* making an appearance – specifically because there were some 6,000 machines on the net, and keeping 6,000 host files up to date was impossible. I’m pretty sure we haven’t gotten 100,000 times better at managing that sort of problem in 22 years.

    This smells a lot like a solution searching for a problem.

  • http://www.circleid.com From CircleID

    # by sunshine | sep 19, 2006, 12:06 am pdt | link

    the hosts file is an example, i am sure microsoft can do much better. if anything .msft points to their “dns” server (root?).

    leave the technology argument for later, look at merits, if you can’t find any, that’s also ok.

  • http://www.cantrell.org.uk/david/ David Cantrell

    You have two problems. With the DNS, MS can easily change where they serve their content from. eg, they could make windowsupdate.whatever point at some Akamai-a-like. If I have an IP address hardcoded in my hosts file they can’t do that.

    And secondly, everyone has to have the *entire .msft zone* in their hosts file.

    They’d be better off just making their resolver treat .microsoft as a special case.

  • sunshine

    Technology-wise this does not need to use the hosts file, nor does it need to point to everything. A website with a redirector or a root server of their own may do the trick. Or any other of a million better solutions… no?

  • http://www.circleid.com/ From CircleID

    # By Valdis Kletnieks | Sep 19, 2006, 05:27 am PDT | Link

    As the IAB said in RFC2826:

    “To remain a global network, the Internet requires the existence of a globally unique public name space. The DNS name space is a hierarchical name space derived from a single, globally unique root. This is a technical constraint inherent in the design of the DNS. Therefore it is not technically feasible for there to be more than one root in the public DNS. That one root must be supported by a set of coordinated root servers administered by a unique naming authority.

    Put simply, deploying multiple public DNS roots would raise a very strong possibility that users of different ISPs who click on the same link on a web page could end up at different destinations, against the will of the web page designers.

    This does not preclude private networks from operating their own private name spaces, but if they wish to make use of names uniquely defined for the global Internet, they have to fetch that information from the global DNS naming hierarchy, and in particular from the coordinated root servers of the global DNS naming hierarchy.”

    Read that third paragraph repeatedly until it sinks in, and remember two things: (1) Many/most corporate users won’t be able to contact this hypothetical alternate root due to firewalling issues. (2) Many users of Microsoft resources aren’t on Windows boxes (for instance, I regularly read MS KB articles on this laptop, and it’s in MS’s interest to let me keep doing so, because then I can better support my users of their products.

    The end result is that there’s no real *use* for an alternate root for MSFT that isn’t equally well served by just serving it from under the microsoft.com tree.

    Well, actually, there *is* one, but I’m guaranteed it would meet with legal opposition in the EC, and even the US DoJ would probably have to take action about it. It *would* be handy if MSFT wanted to start an AOL-style walled garden, and host all the premium content under .MSFT domain. I’m not sure how I’d make a business case for a walled garden service under current conditions – the biggest problem would be thinking of a way to *legally* attract paying customers when AOL is hemmoraging subscribers. Trying to leverage their near-monopoly in operating systems into other fields is a big no-no. Using their dominance to snarf subscribers will bring retribution even worse than their foisting IE and WMP on people…..

  • http://www.circleid.com/ From CircleID

    # by sunshine | sep 19, 2006, 06:10 am pdt | link

    fine, do it with a redirector on a web page, or something far better. the technology doesn’t matter. honest.

    and no, this does not apply as an alternate root under the technical term, it does factually. i don’t see why microsoft couldn’t potentially start something like this for their users, on say, port 445? silly example but still. let’s create a protocol for remote help files connecting to microsoft alone, and not use it over http and port 80. look at it as a different service.

    now go back to looking at it as dns. now look at certificates. there are many certificate authorities. i suppose dns users and clients would have to support more than one root system before long anyway. internet explorer and so on would use whatever systems are popular or have been changed manually.

    this is going to happen. this is not what we are talking about here.

    what we are talking about here is, say, an internal dns sevrer serving, say, private addresses. only on a much wider scale.

    it doesn’t need to inter-connect, and the answer to that is: tough. microsoft can do whatever they want and this does not affect the global system. if it does, please show me how as i can’t see it?

    ie sees .msft – goes to a different root system.

  • http://www.circleid.com/ From CircleID

    # By Joe Baptista | Sep 26, 2006, 01:43 pm PDT | Link

    .LOCAL The Microsoft TLD

    Microsoft in fact did create a TLD called LOCAL. This TLD caused alot of problems for ICANN because they don’t have it in their root zone file and Microsoft machines use the TLD for many OS applications.

    The same problems apply to the Chinese TLDs. The chinese Ministry of Industry root TLD system is the largest in operation today, next to ICANN. As a result of this the ICANN root servers are more then ever under attack by what they call bugus queries, which in fact are valid queries for TLDs the ICANN system does not see.

    I wrote an article on the subject which explains this in detail:

    They should of considered a root system at the time even though LOCAL always answers NXDOMAIN.

    Non the less I agree Microsoft is BIG – really BIG. This means the .LOCAL TLD which has been coded into many OS will not in the near future be available to register at ICANN since it will never function properly due to the collission with Microsoft.

    ICANN may be big – but if it does not co-ordinate the namespace and only hords it the net result is someday they will be irrelevant.

    regards
    Joe Baptista

  • http://www.circleid.com/ From CircleID

    # By Daniel R. Tobias | Sep 26, 2006, 05:19 pm PDT | Link

    I use the Mozilla browser, so I guess I’m another one of those for whom addresses using this proposed proprietary system aren’t accessible. Why go to browser and OS-specific addressing instead of a neutral, universal system? That would be a giant leap backward.

  • http://www.circleid.com/ From CircleID

    # By Valdis Kletnieks | Sep 26, 2006, 08:23 pm PDT | Link

    It’s not a giant step backward if your business model falls into either the “walled garden” or “world domination” categories. Remember – *you* have a certain vision of what “the net” should be. It’s probably similar to mine. It may even be similar to what some thinkers at some corporations wish would happen.

    Unfortunately, at least in the US, corporations are basically legally obligated to do not What Is Right, but What Generates Stockholder Value. And the current investor climate in the US is *very* skewed towards short-term returns. So taking a giant step backwards because it will boost revenue by 17% for the next 12 quarters suddenly starts looking like a reasonable way to do things….

  • http://www.sumudra.co.uk charlie

    I have truly enjoyed going through the stuff and I really appreciate for sharing it across, thank you